Question

integration extreme switch to cisco ise

  • 21 December 2018
  • 0 replies
  • 532 views

Hi all, i hope you are doing well
please can you help to see if the error it's in the switch extreme or in the ise?

im getting the following error from ise

Event 5400 Authentication failed
Failure Reason 11014 RADIUS packet contains invalid attribute(s)


in the extreme device the lines that you put in are::

configure radius netlogin primary server 10.8.54.120 1812 client-ip 10.8.54.121 vr VR-Default
configure radius netlogin primary shared-secret encrypted "Didata2019"
enable radius netlogin
configure netlogin vlan cisco
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 48
enable ports 11-24 dot1x
configure netlogin ports 2 mode port-based-vlans
configure netlogin ports 2 no-restart
and snmp is configure

so, i have a few questions, it's imperative to have the snmpv3 or can be the snmpv2 to work with?
but the devices and users are not going to the check, when a take a tcp dump
do you know which more attribute do we have to put in the ISE device?
do i need to put an extra config in the extreme switch? or is fine?


this is the tcp and the radius challenge

18:27:16.482677 IP (tos 0x0, ttl 64, id 0, offset 0, flags [df], proto UDP (17), length 134)
X.X.X.X.41884 > srv-ise-: RADIUS, length: 106
Access-Request (1), id: 0x5c, Authenticator: 4222cceb304c20525556ce28010d3cf6
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 13, Value: ..
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: {....w..]...._.c
18:27:16.486793 IP (tos 0x0, ttl 64, id 11075, offset 0, flags [df], proto UDP (17), length 180)
srv-ise > X,X,X,X 1884: RADIUS, length: 152
Access-Challenge (11), id: 0x5c, Authenticator: 4a5051e21408fcb0f25eb794f08b3998
State Attribute (24), length: 106, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql2U;34SessionID=srv-ise-poc/334695666/92;
EAP-Message Attribute (79), length: 8, Value: .d
Message-Authenticator Attribute (80), length: 18, Value: .M>F.
18:27:16.491115 IP (tos 0x0, ttl 64, id 0, offset 0, flags [df], proto UDP (17), length 355)
X.X.X.X.41884 > srv-ise: RADIUS, length: 327
Access-Request (1), id: 0x5d, Authenticator: 34a2b32737e5e7c059c32f31161a99b3
User-Name Attribute (1), length: 8, Value: srojas
EAP-Message Attribute (79), length: 168, Value: .d
NAS-IP-Address Attribute (4), length: 6, Value: 10.8.54.121
Service-Type Attribute (6), length: 6, Value: Login
Calling-Station-Id Attribute (31), length: 19, Value: E8-6A-64-2E-6D-3A
NAS-Port-Id Attribute (87), length: 4, Value: 21
NAS-Port Attribute (5), length: 6, Value: 1021
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 66, Value: 64CPMSessionID=0a083678VsRdGYwkon5XnlXinUbVtE4xg2G5Jp9VYxWEH0/ql
Message-Authenticator Attribute (80), length: 18, Value: <.1.B.^.w....n..
18:27:16.494422 IP (tos 0x0, ttl 64, id 11077, offset 0, flags [df], proto UDP (17), length 66)
srv-ise > X.X.X.X.41884: RADIUS, length: 38
Access-Reject (3), id: 0x5d, Authenticator: a7b41552a449bf5985ff3ec0b104379e
Message-Authenticator Attribute (80), length: 18, Value: p.......3.@E^.$.

0 replies

Be the first to reply!

Reply