09-15-2021 09:36 AM - edited 09-28-2021 01:23 PM
Hi guys,
I'm moving over SDWAN routers from an ISE 2.3 server to an ISE 2.7 server. Following the walkthrough here and it seems straightforward.
The issue we're hitting is ISE is returning a VSA ID of 9, which is the out of the box Cisco VSA instead of the VSA ID of 41916.
ISE version: 2.7.0.356 patch 4
Routers attempted: vedge 100B, ISR 1100-4G
logs from debug:
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending RADIUS request code 1
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Binding to 10.228.1.44
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending to RADIUS server 10.61.91.202
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Waiting for timeout 5
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Got RADIUS response code 2
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID 9
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID other than Viptela 9
I do not see a valid VSA of 41916 and I do not see a way to get a valid VSA in a response from our new ISE deployment.
Solved! Go to Solution.
09-21-2021 08:38 PM
As you are using ISE 2.7 Patch 4, you might have hit CSCvy74456. Try applying 2.7 Patch 5.
09-15-2021 07:13 PM
Can you confirm the proper policy with Viptela VSA is matching or not? If other policies are matching instead you will need to reorder or reconstruct policies to make sure it matches. If it is matching the correct policy but getting the error, please share the details of the ISE Live log for the event.
09-17-2021 08:17 AM
@howon I can confirm that the proper Authentication and Authorization policies are being hit in the live log. What part of the live log would be valuable in this case? The only place I was able to find the VSA being used was on the router AAA debug logs. Happy to provide, just want to make sure I get the right data.
09-21-2021 08:38 PM
As you are using ISE 2.7 Patch 4, you might have hit CSCvy74456. Try applying 2.7 Patch 5.
09-28-2021 01:23 PM
Thanks for noticing that patch @hslai, that patch indeed fixed my issue!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide