cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1755
Views
0
Helpful
6
Replies

ISE integration NAD device extreme switch

CSCO12550173
Level 1
Level 1

Hi all, im getting the following error from ise 

 

Event 5400 Authentication failed
Failure Reason 11014 RADIUS packet contains invalid attribute(s)

 

 

in the extreme device the lines that you put in are::

 

configure radius netlogin primary server 1.1.1.1 1812 client-ip 1.1.1.2 vr VR-Default

configure radius netlogin primary shared-secret encrypted "SuperSecretPassword"

enable radius netlogin
configure netlogin vlan cisco

configure netlogin dynamic-vlan enable

configure netlogin dynamic-vlan uplink-ports 48

enable ports 11-24 dot1x

configure netlogin ports 2 mode port-based-vlans
configure netlogin ports 2 no-restart

and snmp is configure

 

so, i have a few questions, it's imperative to have the snmpv3 or can be the snmpv2 to work with?

but the devices and users are not going to the check, when a take a tcp dump

do you know which more attribute do we have to put in the ISE device?

 

 

this is the tcp and the radius challenge

 

18:27:16.482677 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 134)
X.X.X.X.41884 > srv-ise-: RADIUS, length: 106
Access-Request (1), id: 0x5c, Authenticator: 4222cceb304c20525556ce28010d3cf6
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 13, Value: ..
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: {....w..]...._.c
18:27:16.486793 IP (tos 0x0, ttl 64, id 11075, offset 0, flags [DF], proto UDP (17), length 180)
srv-ise > X,X,X,X 1884: RADIUS, length: 152
Access-Challenge (11), id: 0x5c, Authenticator: 4a5051e21408fcb0f25eb794f08b3998
State Attribute (24), length: 106, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql2U;34SessionID=srv-ise-poc/334695666/92;
EAP-Message Attribute (79), length: 8, Value: .d
Message-Authenticator Attribute (80), length: 18, Value: .M>F.
18:27:16.491115 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 355)
X.X.X.X.41884 > srv-ise: RADIUS, length: 327
Access-Request (1), id: 0x5d, Authenticator: 34a2b32737e5e7c059c32f31161a99b3
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 168, Value: .d
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 66, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql
Message-Authenticator Attribute (80), length: 18, Value: <.1.B.^.w....n..
18:27:16.494422 IP (tos 0x0, ttl 64, id 11077, offset 0, flags [DF], proto UDP (17), length 66)
srv-ise > X.X.X.X.41884: RADIUS, length: 38
Access-Reject (3), id: 0x5d, Authenticator: a7b41552a449bf5985ff3ec0b104379e
Message-Authenticator Attribute (80), length: 18, Value: p.......3.@E^.$.

 

 

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

If you haven't done so yet, please see the below guide.  Specifically the section on how to configure 802.1X.

 

https://community.cisco.com/t5/security-documents/ise-2-4-posture-using-snmp-coa-with-extreme-switches/ta-p/3641460

 

Regards,

-Tim

View solution in original post

6 Replies 6

Timothy Abbott
Cisco Employee
Cisco Employee

If you haven't done so yet, please see the below guide.  Specifically the section on how to configure 802.1X.

 

https://community.cisco.com/t5/security-documents/ise-2-4-posture-using-snmp-coa-with-extreme-switches/ta-p/3641460

 

Regards,

-Tim

Hi Timothy, i did what is says in the guide, i followed and import the xml nad profile
but with no succes when the extreme devices authenticate against the ise server
any other form of tshoot about this?


hslai
Cisco Employee
Cisco Employee

ISE 2.4 Posture using SNMP COA with extreme switches is by ahmad_nahawi as it is. I do not think SNMPv3 is mandatory but a better choice.

The attribute User-Password appears missing and could be the reason for the failure.

Hi hslai, thanks for the quick response
from the switch perspective is missing the User-Password field missing?
it should come with the various attributes in the radius packet?

For a regular RADIUS access request, ISE expects it coming with both username and password. Empty or missing passwords could be one reason for the failure you are seeing.

hi there, problem solved, we need to apply all the entries of the radius library
to work correctly thanks a lot for your help and time, Best regards