cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2675
Views
20
Helpful
4
Replies

ISE 2.7 and SDWAN incorrect VSA ID returned

Minnesotakid
Level 1
Level 1

Hi guys,

I'm moving over SDWAN routers from an ISE 2.3 server to an ISE 2.7 server. Following the walkthrough here and it seems straightforward. 

 

The issue we're hitting is ISE is returning a VSA ID of 9, which is the out of the box Cisco VSA instead of the VSA ID of 41916.

 

ISE version: 2.7.0.356 patch 4

Routers attempted: vedge 100B, ISR 1100-4G

 

logs from debug:
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending RADIUS request code 1
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Binding to 10.228.1.44
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending to RADIUS server 10.61.91.202
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Waiting for timeout 5
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Got RADIUS response code 2
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID 9
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID other than Viptela 9

 

I do not see a valid VSA of 41916 and I do not see a way to get a valid VSA in a response from our new ISE deployment. 

 

 

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee