Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1756
Views
0
Helpful
6
Replies

ISE integration NAD device extreme switch

Go to solution
CSCO12550173
Level 1
Level 1

‎12-21-2018 04:04 AM

Hi all, im getting the following error from ise 

 

Event 5400 Authentication failed
Failure Reason 11014 RADIUS packet contains invalid attribute(s)

 

 

in the extreme device the lines that you put in are::

 

configure radius netlogin primary server 1.1.1.1 1812 client-ip 1.1.1.2 vr VR-Default

configure radius netlogin primary shared-secret encrypted "SuperSecretPassword"

enable radius netlogin
configure netlogin vlan cisco

configure netlogin dynamic-vlan enable

configure netlogin dynamic-vlan uplink-ports 48

enable ports 11-24 dot1x

configure netlogin ports 2 mode port-based-vlans
configure netlogin ports 2 no-restart

and snmp is configure

 

so, i have a few questions, it's imperative to have the snmpv3 or can be the snmpv2 to work with?

but the devices and users are not going to the check, when a take a tcp dump

do you know which more attribute do we have to put in the ISE device?

 

 

this is the tcp and the radius challenge

 

18:27:16.482677 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 134)
X.X.X.X.41884 > srv-ise-: RADIUS, length: 106
Access-Request (1), id: 0x5c, Authenticator: 4222cceb304c20525556ce28010d3cf6
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 13, Value: ..
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: {....w..]...._.c
18:27:16.486793 IP (tos 0x0, ttl 64, id 11075, offset 0, flags [DF], proto UDP (17), length 180)
srv-ise > X,X,X,X 1884: RADIUS, length: 152
Access-Challenge (11), id: 0x5c, Authenticator: 4a5051e21408fcb0f25eb794f08b3998
State Attribute (24), length: 106, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql2U;34SessionID=srv-ise-poc/334695666/92;
EAP-Message Attribute (79), length: 8, Value: .d
Message-Authenticator Attribute (80), length: 18, Value: .M>F.
18:27:16.491115 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 355)
X.X.X.X.41884 > srv-ise: RADIUS, length: 327
Access-Request (1), id: 0x5d, Authenticator: 34a2b32737e5e7c059c32f31161a99b3
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 168, Value: .d
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 66, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql
Message-Authenticator Attribute (80), length: 18, Value: <.1.B.^.w....n..
18:27:16.494422 IP (tos 0x0, ttl 64, id 11077, offset 0, flags [DF], proto UDP (17), length 66)
srv-ise > X.X.X.X.41884: RADIUS, length: 38
Access-Reject (3), id: 0x5d, Authenticator: a7b41552a449bf5985ff3ec0b104379e
Message-Authenticator Attribute (80), length: 18, Value: p.......3.@E^.$.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-21-2018 07:40 AM

If you haven't done so yet, please see the below guide.  Specifically the section on how to configure 802.1X.

 

https://community.cisco.com/t5/security-documents/ise-2-4-posture-using-snmp-coa-with-extreme-switches/ta-p/3641460

 

Regards,

-Tim

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎12-21-2018 07:40 AM

If you haven't done so yet, please see the below guide.  Specifically the section on how to configure 802.1X.

 

https://community.cisco.com/t5/security-documents/ise-2-4-posture-using-snmp-coa-with-extreme-switches/ta-p/3641460

 

Regards,

-Tim

0 Helpful

Go to solution
CSCO12550173
Level 1
Level 1
In response to Timothy Abbott

‎12-21-2018 08:52 AM

Hi Timothy, i did what is says in the guide, i followed and import the xml nad profile
but with no succes when the extreme devices authenticate against the ise server
any other form of tshoot about this?


0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-21-2018 07:41 AM

ISE 2.4 Posture using SNMP COA with extreme switches is by ahmad_nahawi as it is. I do not think SNMPv3 is mandatory but a better choice.

The attribute User-Password appears missing and could be the reason for the failure.

0 Helpful

Go to solution
CSCO12550173
Level 1
Level 1
In response to hslai

‎12-21-2018 08:12 AM

Hi hslai, thanks for the quick response
from the switch perspective is missing the User-Password field missing?
it should come with the various attributes in the radius packet?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to CSCO12550173

‎12-21-2018 07:16 PM

For a regular RADIUS access request, ISE expects it coming with both username and password. Empty or missing passwords could be one reason for the failure you are seeing.

0 Helpful

Go to solution
CSCO12550173
Level 1
Level 1
In response to hslai

‎01-28-2019 08:10 AM

hi there, problem solved, we need to apply all the entries of the radius library
to work correctly thanks a lot for your help and time, Best regards
0 Helpful
Customers Also Viewed These Support Documents