Solved: Re: ISE and C9800 Redius new Shared Key

Najib Akbari · ‎09-09-2024

I migrated ISE from 2.7 to 3.3 and all configs are same. for wireless Radius client I changed shared key to a new one on WLC and ISE and clients fails to authenticate, if I change back to old key then it works! any advice ? maybe WLC somehow caches old shared key?

11036 The Message-Authenticator RADIUS attribute is invalid

Check whether the Shared Secrets on the AAA Client and ISE Server, match. Ensure that the AAA Client and the network device, have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to the ISE, has no hardware problems.

Najib Akbari · ‎09-13-2024

For the community:

I finally figured out the issue. we had the default ISE settings enabled for Radius with old shared key, the default settings says in case a network device tries to auth to ISE and not defained can be auth via this shared key and that is why it was working till the moment i changed WLC shared key on ISE and WLC. so i disabled default and defined ISE device for APs which i basically put the subnet on WLC device rather than just a single IP.

View solution in original post

Flavio Miranda · ‎09-09-2024

@Najib Akbari

Make sure you are not using some kind of invalid password. As per cisco docs, the explanation to the message you see is

"When should you expect validation failure?

Validation failure will occur when the shared secret is invalid. Then, the AAA server is not able to validate the request.

The ISE reports:

11036 The Message-Authenticator Radius Attribute is invalid.

This usually occurs at the later stage when the EAP message is attached. The first RADIUS packet of the 802.1x session does not include the EAP message; there is no Message-Authenticator field and it is not possible to verify the request, but at that stage, the client is able to validate the response with the use of the Authenticator field."

Najib Akbari · ‎09-09-2024

I am sure of that. I did again, I literally copy and paste a shared key to both ISE and WLC and still same error. then copy and paste old shared key on both and works!

Flavio Miranda · ‎09-10-2024

Probably you hit some bug. It just dont make sense.

0xv4x · ‎09-10-2024

Does the shared key contain certain special characters $!%^ etc?
I have found that IW9167 AP's will not accept keys with certain characters, including SNMP strings with say a $ in it.

Najib Akbari · ‎09-10-2024

I am using ! and # in the key. based on your advice I just changed it to a simpler alphabet and number only and still same issue. as a matter fact it only works with old shared key! this means somewhere somehow WLC still holding onto old one and i can't figure out how.

I have two ISE RAD server defined in WLC config -> AAA --> then defined server group --> then defined list and binded the server group then called the list in WLAN security AAA Authentication list

MHM Cisco World · ‎09-10-2024

dont depend on GUI
use CLI in WLC and check radius server password and CoA password if you use CWA

MHM

Najib Akbari · ‎09-10-2024

I just did the config via CLI and still same issue

MHM Cisco World · ‎09-11-2024

can you add new Device in ISE for WLC with new Password instead of change only password

MHM

Najib Akbari · ‎09-11-2024

I did and still same issue. worth to mention I have been on the webex with TAC for few hours today and here is the finding:

- I setup the wireless from scratch two years ago with this spec related to the topic:

* created RAD Auth with ISE so defined ISE and on ISE defined WLC as a network device so WLC can send RAD Auth to ISE and for establishment between ISE and WLC defined shared key and added RAD Auth list on WLAN which is EAP cert based

* mode is Flex Mode local switching and for new clients to be connected or re-connect in case of WLC failure I enabled RAD Auth on Flex profile and added same RAD Auth list to Local Auth Tab " Radius Server Group "

* so basically WLC and APs can communicate directly to ISE and in case WLC failure still wireless works.

* on policy profile disabled central authentication ( which according to TAC today it makes only AP to be Authenticater and deal with ISE hence AP needs to be defined in ISE device list!

being said that at the time I setup and tested this I only added WLC to ISE device list and "NOT APs" and it worked perfect till two days ago even thu based on TAC AP should be added to ISE device list and I agree logically.

So based on TAC and tested as a proof when enabled central auth or add AP as device list of ISE the issue of changing shared key goes away and works, which is fine but why without doing that before it was working so far ( without adding AP to ISE or enabling central Authentication on policy profile )?! thats a question that we are investigating with TAC and will continue with it tomorrow.

just wanted to share this

MHM Cisco World · ‎09-11-2024

The authc can be central (via WLC) or local (via AP)

So if it central you need add WLC as NAD to ISE

If it local the you need to add AP as NAD to ISE

And you need to not use any condition for NAD in authc and authz policy

That my opinion

MHM

Najib Akbari · ‎09-13-2024

For the community:

I finally figured out the issue. we had the default ISE settings enabled for Radius with old shared key, the default settings says in case a network device tries to auth to ISE and not defained can be auth via this shared key and that is why it was working till the moment i changed WLC shared key on ISE and WLC. so i disabled default and defined ISE device for APs which i basically put the subnet on WLC device rather than just a single IP.