Hi guys,
I'm moving over SDWAN routers from an ISE 2.3 server to an ISE 2.7 server. Following the walkthrough here and it seems straightforward.
The issue we're hitting is ISE is returning a VSA ID of 9, which is the out of the box Cisco VSA instead of the VSA ID of 41916.
ISE version: 2.7.0.356 patch 4
Routers attempted: vedge 100B, ISR 1100-4G
logs from debug:
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending RADIUS request code 1
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Binding to 10.228.1.44
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Sending to RADIUS server 10.61.91.202
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Waiting for timeout 5
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Got RADIUS response code 2
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID 9
Sep 15 10:12:04 TESTROUTER sshd[23937]: pam_radius_auth: Access Accept returned from Radius with VSA ID other than Viptela 9
I do not see a valid VSA of 41916 and I do not see a way to get a valid VSA in a response from our new ISE deployment.