ExtremeSwitching (EXOS)

integration extreme switch to cisco ise

  • 1.  integration extreme switch to cisco ise

    Posted 12-20-2018 23:27
    Hi all, i hope you are doing well
    please can you help to see if the error it's in the switch extreme or in the ise?

    im getting the following error from ise

    Event 5400 Authentication failed
    Failure Reason 11014 RADIUS packet contains invalid attribute(s)


    in the extreme device the lines that you put in are::

    configure radius netlogin primary server 10.8.54.120 1812 client-ip 10.8.54.121 vr VR-Default
    configure radius netlogin primary shared-secret encrypted "Didata2019"
    enable radius netlogin
    configure netlogin vlan cisco
    configure netlogin dynamic-vlan enable
    configure netlogin dynamic-vlan uplink-ports 48
    enable ports 11-24 dot1x
    configure netlogin ports 2 mode port-based-vlans
    configure netlogin ports 2 no-restart
    and snmp is configure

    so, i have a few questions, it's imperative to have the snmpv3 or can be the snmpv2 to work with?
    but the devices and users are not going to the check, when a take a tcp dump
    do you know which more attribute do we have to put in the ISE device?
    do i need to put an extra config in the extreme switch? or is fine?


    this is the tcp and the radius challenge

    18:27:16.482677 IP (tos 0x0, ttl 64, id 0, offset 0, flags [df], proto UDP (17), length 134)
    X.X.X.X.41884 > srv-ise-: RADIUS, length: 106
    Access-Request (1), id: 0x5c, Authenticator: 4222cceb304c20525556ce28010d3cf6
    User-Name Attribute (1), length: 8, Value: srojas
    EAP-Message Attribute (79), length: 13, Value: ..
    NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
    Service-Type Attribute (6), length: 6, Value: Login
    Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
    NAS-Port-Id Attribute (87), length: 4, Value: 21
    NAS-Port Attribute (5), length: 6, Value: 1021
    NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
    Message-Authenticator Attribute (80), length: 18, Value: {....w..]...._.c
    18:27:16.486793 IP (tos 0x0, ttl 64, id 11075, offset 0, flags [df], proto UDP (17), length 180)
    srv-ise > X,X,X,X 1884: RADIUS, length: 152
    Access-Challenge (11), id: 0x5c, Authenticator: 4a5051e21408fcb0f25eb794f08b3998
    State Attribute (24), length: 106, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql2U;34SessionID=srv-ise-poc/334695666/92;
    EAP-Message Attribute (79), length: 8, Value: .d
    Message-Authenticator Attribute (80), length: 18, Value: .M>F.
    18:27:16.491115 IP (tos 0x0, ttl 64, id 0, offset 0, flags [df], proto UDP (17), length 355)
    X.X.X.X.41884 > srv-ise: RADIUS, length: 327
    Access-Request (1), id: 0x5d, Authenticator: 34a2b32737e5e7c059c32f31161a99b3
    User-Name Attribute (1), length: 8, Value: srojas
    EAP-Message Attribute (79), length: 168, Value: .d
    NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
    Service-Type Attribute (6), length: 6, Value: Login
    Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
    NAS-Port-Id Attribute (87), length: 4, Value: 21
    NAS-Port Attribute (5), length: 6, Value: 1021
    NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
    State Attribute (24), length: 66, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql
    Message-Authenticator Attribute (80), length: 18, Value: <.1.B.^.w....n..
    18:27:16.494422 IP (tos 0x0, ttl 64, id 11077, offset 0, flags [df], proto UDP (17), length 66)
    srv-ise > X.X.X.X.41884: RADIUS, length: 38
    Access-Reject (3), id: 0x5d, Authenticator: a7b41552a449bf5985ff3ec0b104379e
    Message-Authenticator Attribute (80), length: 18, Value: p.......3.@E^.$.