01-09-2014 04:18 AM - edited 03-10-2019 09:15 PM
Can Any One help with Suggestion
We Face issue for AD authentication for Wireless which stop authenting users and after verifying the reports below details are seen . Any way After restarting the ISE the AD authentication started working for Wireless ...
But need to understand the below error , any fix can be done to prevent it from re-occuring
Failure Reason :12953 Received EAP Packet from middle of conversion that contains a session on this PSN that does not exit
Resolution : Verify Known NAD issues and published bugs. Verify NAD configuration .Turn delog on DEBUG level to troubleshoot the problem
Root cause : Session was not found on this PSN . Possible unexpected NAD behavior . Session belongs to this PSN according to hostname but may has already been reaped by timeout . This packet arrived too late
ISE version is 1.2
Wireless Client OS are Win7 64 bit
AD 2012
06-16-2014 11:55 AM
Hi, Sachin,
Did you solve this problem? I´m getting the same message from ISE when Cisco Wireless IP phones try to authenticate agaist wireless controller.
06-18-2014 11:47 PM
Sachin,
The problem seems that ISE does not have the session for the endpoint that is trying to authenticate.
There could be several reasons here, if it is a wireless client, the endpoint may be roaming between different WLC's creating different sessions each time and the PSN in question may not have that session.
This could also be a Load blancer if you have one that might be spraying radius sessions to different PSN without the correct config.
You will need to track a particular session and see why you're seeing that behavior. Enable debug for prrt-jni and runtime-AAA, wait until you find one session where you're seeing this issue, download the prrt.logs and track the session.
I strongly suspect Wireless roaming issues here or Accounting issues on the NAD.
Regards,
Gurudatt
Gurudatt
05-08-2015 07:16 AM
You might hit the bug id CSCur94336.
My workaround was not to use "aaa accounting dot1x default start-stop group radius".
When the Windows computer switch between computer and user authentication, the Cisco switch sends an accounting stop for the previous sessions (computer or user), thus Cisco ISE understand it wrongly and cancel the session.
Try to do "no aaa accounting dot1x default start-stop group radius" and this could solve the issue.
05-14-2015 04:46 PM
Hello credocom!!
Thank you. Your solution works for me, thus avoiding me to upgrade the IOS on switches (actually 65).
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide