You should start a packet

barryfowles · ‎04-23-2015

Hi

I'm hoping someone can shed some light on an issue that I'm seeing. I am implementing a two node ISE deployment with a pair of ISE PSNs. The ISE is being used as a Radius Proxy server into the Janet Eduroam service. Authentications for visitors to the site are being correctly proxied to their home establishments and successfully authenticated. However when local users go to a remote establishment their authentication requests are failing. I see the authentication requests arriving from the JANET RADIUS servers (roaming0, etc.) but they are being refused with the error message "failure reason 11051 radius packet contains invalid state attribute". Has anyone experienced this before or can tell me the best debugs to run on ISE to highlight the possible cause.

Many Thanks

Barry

Venkatesh Attuluri · ‎04-28-2015

.
"failure reason 11051 radius packet contains invalid state attribute " is caused If there is latency causing the authentications to fail

failure reason 11051 radius packet contains invalid state attribute - See more at: https://supportforums.cisco.com/discussion/12487521/ise-radius-proxy-client-issue#sthash.PUTXS5Gu.dpuf

barryfowles · ‎04-28-2015

Is there anything I can set on the ISE to allow for this latency?

jan.nielsen · ‎04-28-2015

You should start a packet capture on the PSN that you are using, and then fish out the radius packets, so we can see whats being sent from janet and your psn. Invalid state attribute, sounds like the janet server is sending something that ise is not expecting, i have had that with other radius proxies, that did not conform to the RFC that defines how to do radius proxy.

From the RFC :

"If any Proxy-State attributes were present in the Access-Request,
   they MUST be copied unmodified and in order into the response packet.
   Other Attributes can be placed before, after, or even between the
   Proxy-State attributes."

ISE Radius Proxy Client Issue