cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2674
Views
20
Helpful
4
Replies

ISE 2.7 and SDWAN incorrect VSA ID returned

Minnesotakid
Level 1
Level 1

Hi guys,

I'm moving over SDWAN routers from an ISE 2.3 server to an ISE 2.7 server. Following the walkthrough here and it seems straightforward. 

 

The issue we're hitting is ISE is returning a VSA ID of 9, which is the out of the box Cisco VSA instead of the VSA ID of 41916.

 

ISE version: 2.7.0.356 patch 4

Routers attempted: vedge 100B, ISR 1100-4G

 

logs from debug:
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending RADIUS request code 1
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Binding to 10.228.1.44
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending to RADIUS server 10.61.91.202
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Waiting for timeout 5
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Got RADIUS response code 2
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID 9
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID other than Viptela 9

 

I do not see a valid VSA of 41916 and I do not see a way to get a valid VSA in a response from our new ISE deployment. 

 

 

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

As you are using ISE 2.7 Patch 4, you might have hit CSCvy74456. Try applying 2.7 Patch 5.

View solution in original post

4 Replies 4

howon
Cisco Employee
Cisco Employee

Can you confirm the proper policy with Viptela VSA is matching or not? If other policies are matching instead you will need to reorder or reconstruct policies to make sure it matches. If it is matching the correct policy but getting the error, please share the details of the ISE Live log for the event.

Minnesotakid
Level 1
Level 1

@howon I can confirm that the proper Authentication and Authorization policies are being hit in the live log. What part of the live log would be valuable in this case? The only place I was able to find the VSA being used was on the router AAA debug logs. Happy to provide, just want to make sure I get the right data.

hslai
Cisco Employee
Cisco Employee

As you are using ISE 2.7 Patch 4, you might have hit CSCvy74456. Try applying 2.7 Patch 5.

Minnesotakid
Level 1
Level 1

Thanks for noticing that patch @hslai, that patch indeed fixed my issue!