Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2249
Views
0
Helpful
2
Replies

ISE 2.4 and error 12953

Ilnur.Garipov
Level 1
Level 1

‎03-29-2019 07:36 AM - edited ‎03-29-2019 07:57 AM

Hi,

I have ISE 2.4.0.357.

On ISE I configured authentication dot1x for domain PC and MAB for printers and IP Phones. But authentication dot1x doesn't work and in ise logs I see the next error: 

Failure Reason12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
ResolutionVerify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root causeSession was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

 

Can anybody faced with problem like this?

 

The output command sh run int fa0/23 is:
!
interface FastEthernet0/23
description 204/1
switchport access vlan 101
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 101
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
end

 

The output command sh run | in rad is:

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
ip radius source-interface Vlan2 vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

 

switch is WS-C2960-24TT-L and IOS is 12.2(50)SE5

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎03-29-2019 06:38 PM

It appears that you are missing the following, per RADIUS Server Configuration on the Switch

radius-server attribute 25 access-request include

All Releases of IOS Software shows 12.2.55-SE12 recommended for this switch and 15.0.2-SE11 the latest that can run on the switch. Please consider updating the IOS binary.

End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 2960 Series Switches shows this switch series going to end of support later this. So, please plan to replace it.

 

 

0 Helpful

Ilnur.Garipov
Level 1
Level 1
In response to hslai

‎03-31-2019 11:35 PM - edited ‎03-31-2019 11:37 PM

No, I don't missing this command, I have this one in RADIUS server configuration. I wrote all attributes:

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

0 Helpful
Customers Also Viewed These Support Documents