Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2506
Views
20
Helpful
4
Replies

ISE 2.7 and SDWAN incorrect VSA ID returned

Go to solution
Minnesotakid
Level 1
Level 1

‎09-15-2021 09:36 AM - edited ‎09-28-2021 01:23 PM

Hi guys,

I'm moving over SDWAN routers from an ISE 2.3 server to an ISE 2.7 server. Following the walkthrough here and it seems straightforward. 

 

The issue we're hitting is ISE is returning a VSA ID of 9, which is the out of the box Cisco VSA instead of the VSA ID of 41916.

 

ISE version: 2.7.0.356 patch 4

Routers attempted: vedge 100B, ISR 1100-4G

 

logs from debug:
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending RADIUS request code 1
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Binding to 10.228.1.44
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending to RADIUS server 10.61.91.202
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Waiting for timeout 5
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Got RADIUS response code 2
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID 9
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID other than Viptela 9

 

I do not see a valid VSA of 41916 and I do not see a way to get a valid VSA in a response from our new ISE deployment. 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-21-2021 08:38 PM

As you are using ISE 2.7 Patch 4, you might have hit CSCvy74456. Try applying 2.7 Patch 5.

View solution in original post

4 Replies 4

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-15-2021 07:13 PM

Can you confirm the proper policy with Viptela VSA is matching or not? If other policies are matching instead you will need to reorder or reconstruct policies to make sure it matches. If it is matching the correct policy but getting the error, please share the details of the ISE Live log for the event.

Go to solution
Minnesotakid
Level 1
Level 1

‎09-17-2021 08:17 AM

@howon I can confirm that the proper Authentication and Authorization policies are being hit in the live log. What part of the live log would be valuable in this case? The only place I was able to find the VSA being used was on the router AAA debug logs. Happy to provide, just want to make sure I get the right data.

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-21-2021 08:38 PM

As you are using ISE 2.7 Patch 4, you might have hit CSCvy74456. Try applying 2.7 Patch 5.

Go to solution
Minnesotakid
Level 1
Level 1

‎09-28-2021 01:23 PM

Thanks for noticing that patch @hslai, that patch indeed fixed my issue! 

Customers Also Viewed These Support Documents