Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5013
Views
0
Helpful
2
Replies

ISE v1.2 - Status-Server - 5405 RADIUS Request dropped

Ian Cowley
Level 1
Level 1

‎08-15-2014 03:27 AM - edited ‎03-10-2019 09:56 PM

Just a note:

Some devices send regular RADIUS status messages;

The ISE drops these as 

Event: 5405 RADIUS Request dropped

Failure Reason: 11031 RADIUS packet type is not a valid Request

Root cause: RADIUS packet type is not a valid Request.

Wireshark shows:-

Code: Status-Server (12)
Attribute Value Pairs:
AVP: l=6  t=Service-Type(6): Shell-User(6)
AVP: l=18  t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
AVP: l=6  t=NAS-IP-Address(4): 10.1.1.1

I believe that ISE should accept and respond to these messages RFC5997  up2866.

A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port).  An Access-Challenge response is NOT RECOMMENDED.  An Access-Reject response MAY be used.

 

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎08-15-2014 03:38 PM

Silly question but you do have the NAS added in ISE's database?

0 Helpful

Ian Cowley
Level 1
Level 1
In response to nspasov

‎08-18-2014 01:57 AM

Neno

Nothing to do with that,

The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.

However they send keepalives to validate the RADIUS server is still there.  ISE doesn't implement this and ISE logs get full of rejections.  The end devices are unable to prioritise which ISE to used based on up/down.  But still work.

 

This was just a note to everyone so they are aware of the issue,

 

0 Helpful
Customers Also Viewed These Support Documents