Radius Testing - Cisco ISE - not all passing

Lagcat
Getting noticed

Radius Testing - Cisco ISE - not all passing

Hello

 

Firmware: 25.13

Cisco ISE: 2.3.0.298

 

just testing the radius authentication from the dashboard to our Cisco ISE radius

 

Total APs: 9
APs passed: 4
APs failed: 5
APs unreachable: 0

 

these are same subnet, same site, same everything

 

each time I test I receive different results and sometime I receive an error

 

RADIUS attributes used:
Airespace-ACL-Name:HS-Laptop

RADIUS attributes unused:
User-Name: *domain\user*
State:ReauthSession:0a2d000fKS4uutHjQp5FArmB2ZstcLZ63zRmIXdtubIA7tDgTB4
 
 
I managed to find a good site explaining this a long time ago but I am unable to find it now so looking for help with a solution of explanation
 
our old Cisco ISE box (decommissioned) used to always be 100% but as I am not a Cisco ISE person I unable to to even work out the difference
and cisco forums are a mess so hoping here someone can point me in the correct direction
 
Working AP ISE output:

Authentication Details

Source Timestamp2019-09-05 09:42:20.332
Received Timestamp2019-09-05 09:42:20.333
Policy Serverservername
Event5200 Authentication succeeded
Usernamedomain\user
Endpoint Id00:00:00:00:00:02
Calling Station Id00-00-00-00-00-02
Authentication Identity StoreHS_AD
Authentication MethodMSCHAPV2
Authentication ProtocolPEAP (EAP-MSCHAPv2)
Network DeviceMeraki_AP
Device TypeAll Device Types#Meraki_AP
LocationAll Locations
NAS IPv4 Address10.45.99.12
NAS Port TypeWireless - IEEE 802.11
Authorization ProfileHS_Laptop_Permit_All
Response Time19 milliseconds

 

 

failing AP ISE output

 

Authentication Details

Source Timestamp2019-09-05 09:42:21.899
Received Timestamp2019-09-05 09:42:21.9
Policy Serverservername
Event5400 Authentication failed
Failure Reason12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
ResolutionVerify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root causeSession was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.
Usernamedomain\user
Endpoint Id00:00:00:00:00:02
Calling Station Id00-00-00-00-00-02
Network DeviceMeraki_AP
Device TypeAll Device Types#Meraki_AP
LocationAll Locations
NAS IPv4 Address10.45.99.13
NAS Port TypeWireless - IEEE 802.11
Response Time4 milliseconds

 

 

any help on this is greatly appreciated

7 Replies 7
NolanHerring
Kind of a big deal

I can't help here as I don't mess with ISE, but found the following links that might be of assistance (unless you've already read them then never mind lol).

You'll want to make sure your ISE is updated/patched etc.

 

Are you able to open up a TAC case for your issue?

 

 
 
 
Old, mentioning if you have load-balancer in the mix
 
Old, but mentioning switch IOS version
 
Old, but might help?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Raj66
Meraki Employee
Meraki Employee

Hi @Lagcat 

 

Do you have radius accounting enabled? If so you might be running into an ISE bug. 

 

Can you try disabling accounting and see if you still see the same issue?

 

P.S: For security reasons, it will be a good idea to mask out sensitive information like Re-auth session IDs and all 🙂

 

Cheers!

 

Raj 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
PhilipDAth
Kind of a big deal
Kind of a big deal

Are all the APs listed as clients in ISE?

Lagcat
Getting noticed

Hi Philip

 

i am covering our entire network subbnet with meraki so authentication is covered at this point as you can see the Same subnet is taking authentication the same as the AP which is not 

Lagcat
Getting noticed

Hi Raj

 

sorry I was not sure what is passed in all these things

 

do you have any description of what the ISE bug could be as I am sure we are running accounting

 

cheers

 

 

Raj66
Meraki Employee
Meraki Employee

Hi @Lagcat I was looking into the Auth error details and found this article in Cisco forums which is related to the auth error you are seeing. You can see the bug id in there.

 

https://community.cisco.com/t5/policy-and-access/ise-ad-authentication-stop-working-for-wireless/td-...

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Eric101
New here

We came across the same issue and found bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq00652/?rfs=iqvred which was affecting our test results.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels