12-21-2018 04:04 AM
Hi all, im getting the following error from ise
Event 5400 Authentication failed
Failure Reason 11014 RADIUS packet contains invalid attribute(s)
in the extreme device the lines that you put in are::
configure radius netlogin primary server 1.1.1.1 1812 client-ip 1.1.1.2 vr VR-Default
configure radius netlogin primary shared-secret encrypted "SuperSecretPassword"
enable radius netlogin
configure netlogin vlan cisco
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 48
enable ports 11-24 dot1x
configure netlogin ports 2 mode port-based-vlans
configure netlogin ports 2 no-restart
and snmp is configure
so, i have a few questions, it's imperative to have the snmpv3 or can be the snmpv2 to work with?
but the devices and users are not going to the check, when a take a tcp dump
do you know which more attribute do we have to put in the ISE device?
this is the tcp and the radius challenge
18:27:16.482677 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 134)
X.X.X.X.41884 > srv-ise-: RADIUS, length: 106
Access-Request (1), id: 0x5c, Authenticator: 4222cceb304c20525556ce28010d3cf6
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 13, Value: ..
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: {....w..]...._.c
18:27:16.486793 IP (tos 0x0, ttl 64, id 11075, offset 0, flags [DF], proto UDP (17), length 180)
srv-ise > X,X,X,X 1884: RADIUS, length: 152
Access-Challenge (11), id: 0x5c, Authenticator: 4a5051e21408fcb0f25eb794f08b3998
State Attribute (24), length: 106, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql2U;34SessionID=srv-ise-poc/334695666/92;
EAP-Message Attribute (79), length: 8, Value: .d
Message-Authenticator Attribute (80), length: 18, Value: .M>F.
18:27:16.491115 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 355)
X.X.X.X.41884 > srv-ise: RADIUS, length: 327
Access-Request (1), id: 0x5d, Authenticator: 34a2b32737e5e7c059c32f31161a99b3
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 168, Value: .d
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 66, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql
Message-Authenticator Attribute (80), length: 18, Value: <.1.B.^.w....n..
18:27:16.494422 IP (tos 0x0, ttl 64, id 11077, offset 0, flags [DF], proto UDP (17), length 66)
srv-ise > X.X.X.X.41884: RADIUS, length: 38
Access-Reject (3), id: 0x5d, Authenticator: a7b41552a449bf5985ff3ec0b104379e
Message-Authenticator Attribute (80), length: 18, Value: p.......3.@E^.$.
Solved! Go to Solution.
12-21-2018 07:40 AM
If you haven't done so yet, please see the below guide. Specifically the section on how to configure 802.1X.
Regards,
-Tim
12-21-2018 07:40 AM
If you haven't done so yet, please see the below guide. Specifically the section on how to configure 802.1X.
Regards,
-Tim
12-21-2018 08:52 AM
12-21-2018 07:41 AM
ISE 2.4 Posture using SNMP COA with extreme switches is by ahmad_nahawi as it is. I do not think SNMPv3 is mandatory but a better choice.
The attribute User-Password appears missing and could be the reason for the failure.
12-21-2018 08:12 AM
12-21-2018 07:16 PM
For a regular RADIUS access request, ISE expects it coming with both username and password. Empty or missing passwords could be one reason for the failure you are seeing.
01-28-2019 08:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide