cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1877
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE v1.2 - Status-Server - 5405 RADIUS Request dropped

Just a note:

Some devices send regular RADIUS status messages;

The ISE drops these as 

Event: 5405 RADIUS Request dropped

Failure Reason: 11031 RADIUS packet type is not a valid Request

Root cause: RADIUS packet type is not a valid Request.

Wireshark shows:-

Code: Status-Server (12)
Attribute Value Pairs:
AVP: l=6  t=Service-Type(6): Shell-User(6)
AVP: l=18  t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
AVP: l=6  t=NAS-IP-Address(4): 10.1.1.1

I believe that ISE should accept and respond to these messages RFC5997  up2866.

A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port).  An Access-Challenge response is NOT RECOMMENDED.  An Access-Reject response MAY be used.

 

Everyone's tags (1)
2 REPLIES 2
Highlighted
Cisco Employee

Silly question but you do

Silly question but you do have the NAS added in ISE's database?

Highlighted
Beginner

NenoNothing to do with that

Neno

Nothing to do with that,

The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.

However they send keepalives to validate the RADIUS server is still there.  ISE doesn't implement this and ISE logs get full of rejections.  The end devices are unable to prioritise which ISE to used based on up/down.  But still work.

 

This was just a note to everyone so they are aware of the issue,