Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16212
Views
3
Helpful
7
Replies

Radius Testing - Cisco ISE - not all passing

jake.ryan1
Community Member

‎09-05-2019 03:14 AM

Hello

Firmware: 25.13

Cisco ISE: 2.3.0.298

just testing the radius authentication from the dashboard to our Cisco ISE radius

Total APs: 9
APs passed: 4
APs failed: 5
APs unreachable: 0

these are same subnet, same site, same everything

each time I test I receive different results and sometime I receive an error

RADIUS attributes used:
Airespace-ACL-Name:HS-Laptop

RADIUS attributes unused:
User-Name: *domain\user*
State:ReauthSession:0a2d000fKS4uutHjQp5FArmB2ZstcLZ63zRmIXdtubIA7tDgTB4
I managed to find a good site explaining this a long time ago but I am unable to find it now so looking for help with a solution of explanation
our old Cisco ISE box (decommissioned) used to always be 100% but as I am not a Cisco ISE person I unable to to even work out the difference
and cisco forums are a mess so hoping here someone can point me in the correct direction
Working AP ISE output:

Authentication Details

Source Timestamp2019-09-05 09:42:20.332
Received Timestamp2019-09-05 09:42:20.333
Policy Serverservername
Event5200 Authentication succeeded
Usernamedomain\user
Endpoint Id00:00:00:00:00:02
Calling Station Id00-00-00-00-00-02
Authentication Identity StoreHS_AD
Authentication MethodMSCHAPV2
Authentication ProtocolPEAP (EAP-MSCHAPv2)
Network DeviceMeraki_AP
Device TypeAll Device Types#Meraki_AP
LocationAll Locations
NAS IPv4 Address10.45.99.12
NAS Port TypeWireless - IEEE 802.11
Authorization ProfileHS_Laptop_Permit_All
Response Time19 milliseconds

failing AP ISE output

Authentication Details

Source Timestamp2019-09-05 09:42:21.899
Received Timestamp2019-09-05 09:42:21.9
Policy Serverservername
Event5400 Authentication failed
Failure Reason12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
ResolutionVerify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root causeSession was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.
Usernamedomain\user
Endpoint Id00:00:00:00:00:02
Calling Station Id00-00-00-00-00-02
Network DeviceMeraki_AP
Device TypeAll Device Types#Meraki_AP
LocationAll Locations
NAS IPv4 Address10.45.99.13
NAS Port TypeWireless - IEEE 802.11
Response Time4 milliseconds

any help on this is greatly appreciated

Labels:
0 Helpful
7 Replies 7

Nolan H.
Level 11
Level 11

‎09-05-2019 07:28 AM

I can't help here as I don't mess with ISE, but found the following links that might be of assistance (unless you've already read them then never mind lol).

You'll want to make sure your ISE is updated/patched etc.

Are you able to open up a TAC case for your issue?

Old, mentioning if you have load-balancer in the mix
Old, but mentioning switch IOS version
Old, but might help?

raj.yarlagadda@meraki.com
Cisco Employee
Cisco Employee

‎09-05-2019 10:13 AM

Hi @jake.ryan1

Do you have radius accounting enabled? If so you might be running into an ISE bug.

Can you try disabling accounting and see if you still see the same issue?

P.S: For security reasons, it will be a good idea to mask out sensitive information like Re-auth session IDs and all 🙂

Cheers!

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to raj.yarlagadda@meraki.com

‎09-05-2019 01:49 PM

Are all the APs listed as clients in ISE?

0 Helpful

jake.ryan1
Community Member
In response to Philip D'Ath

‎09-05-2019 04:00 PM

Hi Philip

i am covering our entire network subbnet with meraki so authentication is covered at this point as you can see the Same subnet is taking authentication the same as the AP which is not

0 Helpful

jake.ryan1
Community Member
In response to raj.yarlagadda@meraki.com

‎09-05-2019 03:58 PM

Hi Raj

sorry I was not sure what is passed in all these things

do you have any description of what the ISE bug could be as I am sure we are running accounting

cheers

0 Helpful

raj.yarlagadda@meraki.com
Cisco Employee
Cisco Employee
In response to jake.ryan1

‎09-06-2019 09:02 AM

Hi @jake.ryan1 I was looking into the Auth error details and found this article in Cisco forums which is related to the auth error you are seeing. You can see the bug id in there.

https://community.cisco.com/t5/policy-and-access/ise-ad-authentication-stop-working-for-wireless/td-p/2363848

Cheers!

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
0 Helpful

Eric101
Level 3
Level 3

‎10-11-2019 10:16 AM

We came across the same issue and found bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq00652/?rfs=iqvred which was affecting our test results.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card