Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
222
Views
1
Helpful
3
Replies

9800-80 running IOS 17.12.4 failed RADIUS when added a new PSN server

DATHOZ
Level 1
Level 1

‎12-20-2024 10:51 AM

We encountered an issue yesterday during testing with IOS version 17.12.4 (recommended) after adding a new RADIUS server to our ISE deployment. The problem arises when the RADIUS shared secret on the WLC contains special characters, specifically "@" and "_".

When we added a new ISE Policy Service Node (PSN) or attempted to modify the password to include any special character, authentication failed consistently. The failure was observed for both initial authentication and accounting requests.

The ISE logs indicate the following errors:

Error 1 (ISE log):

  • Failure Reason: 11036 The Message-Authenticator attribute is invalid.
  • Possible Resolution (from ISE): Check whether the Shared Secrets, configured on the Network Access Device and the RADIUS Server, match. Ensure that the AAA client, and the corresponding Network Access Device, have no hardware problems or problems with RADIUS or TACACS+ protocol compatibility. Also ensure that the RADIUS client, or the Network Access Device to the ISE, has no hardware problems.
  • Root Cause (from ISE): The Message-Authenticator RADIUS attribute is invalid. This problem maybe because of mismatched Shared Secrets.

Error 2 (ISE log):

  • Failure Reason: 11038 RADIUS Accounting-Request has invalid Message-Authenticator field
  • Possible Resolution (from ISE): Ensure that the RADIUS Shared Secret configured on the RADIUS client matches that configured for the corresponding Network Access Device on the ISE server. Also, ensure that the RADIUS client has no hardware problems or problems with RADIUS protocol compatibility.
  • Root Cause (from ISE): ISE cannot validate the Authenticator field received in the RADIUS Accounting-Request packet. The Message-Authenticator field should not be considered as an indication of an invalid Authenticator RADIUS attribute.

We suspect the issue lies in how the IOS version 17.12.4 handles special characters within the RADIUS shared secret, causing a mismatch in the Message-Authenticator attribute.

Do you know if this is a known bug with 17.12.4 or a related IOS version? If so, is there a fix or workaround available other than changing the password to avoid special characters?

 

Labels:
3 Replies 3

marce1000
Hall of Fame
Hall of Fame

‎12-20-2024 11:30 AM

 

  - It seems at least related to the handling of the shared secret indeed on 17.12.4 :
    Ref : https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/118673-technote-radius-00.html
   >...
   >

11038 RADIUS Accounting-Request header contains invalid Authenticator field
The typical reason for this is the incorrect shared secret key.

                        (>earlier in the document
 >...
 When to expect validation failure:
Validation failure occurs when the shared secret is invalid. Then, the AAA server is not able to validate the request.
The ISE reports:

11036 The Message-Authenticator Radius Attribute is invalid.

   - You may need to escalate (contact TAC)

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MHM Cisco World
VIP
VIP

‎12-20-2024 12:12 PM

In ISE allow protocol' enable message-authenticator 

MHM

0 Helpful

Rich R
VIP
VIP

‎12-24-2024 12:25 PM

How are you entering the secret - on GUI or CLI?
If GUI have you tried CLI, if CLI have you tried GUI?
How long (how many characters) is the secret you are using?  Have you tried using a shorter secret?
Generally speaking you should avoid using a special character and the first character in the secret.
What type of password/key encryption are you using? None/Type 7/AES
You could take the pre-encrypted version of the key from a working version of IOS and try that?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card