cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
5643
Views
0
Helpful
4
Replies

After ISE 1.2 upgrade I get "5413 RADIUS Accounting-Request dropped."

RSundstrom
Level 1
Level 1

Hello,

I have a two admin node setup for ISE. I just upgraded one of my two ISE Admin nodes to Version 1.2. I still have one of my admin  nodes at 1.1.4. When I disable my Version 1.1.4 node and allow wireless authentications to be handled by the Version 1.2 node I get the message..."5413 RADIUS Accounting-Request dropped". None of my wireless edge devices will be allowed on the network during this time. When I re-enable my 1.1.4 node my wireless devices are then allowed on the network.

I am currently using ISE to authenticate wireless connectivity.

I also get the failure reason... "11038 RADIUS Accounting-Request header contains invalid Authentication field".

Any ideas?

Bob

1 Accepted Solution

Accepted Solutions

cgambrel
Cisco Employee
Cisco Employee

The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching.  Just turning off wireless and back on doesn't do it.  Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients.  What type of certificate is presented, public or private?

View solution in original post

4 Replies 4

cgambrel
Cisco Employee
Cisco Employee

The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching.  Just turning off wireless and back on doesn't do it.  Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients.  What type of certificate is presented, public or private?

I have checked and my shared secret radius key matches on my ISE node Ver 1.2 and the WLC.

I am using private certificates. We are authenticating using PEAP MS-CHAP V2.

Should I try a config restore from the CLI? This would be a config restore from version 1.1.4 to version 1.2. Will this work?

The cure for this issue was to delete the RADIUS shared-secret and re-enter it in ISE. The shared secret was correct to begin with but it required removal and re-insertion to function properly.

Bruce,

Thank you for your assist!

Bob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: