We are authenticating clients for Aerohive APs on our ACS 5.1 servers. Currently our logs are getting filled with spam of invalid radius attributes. I have opened a case with them to see what is sending the request. The message is "11014 RADIUS packet contains invalid attribute(s)" Is there anyone to filter that message out of the log in the mean time? it is causing us to lose all of our logging information from the servers in about 30 minutes.
With those filter options, it would remove all information from the APs both good and bad.
The solution ended up being to configure the Aerohive AAA client to use the radius for Authentication only. Apparently the other entries were accounting information which isnt talking well between the systems right now. I stll get all passed/failed authentication attempts, which is what I needed.
This issue may be being caused by the presence of an Acct-Terminate-Cause attribute in the Accounting-On and Accounting-Off forms of RADIUS accounting packets that Aerohive's access points send that the RFC specifies is invalid, mandating that it only be present in the Stop form:
This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct- Status-Type is set to Stop.
If so, that issue is resolved in HiveOS 6.6r1.
The Acct-Authentic attribute is also dubious as it is only semantically valid in the context of a session so shouldn't really be present in Accounting-On and Accounting-Off forms of RADIUS accounting packets that pertain to 'global' NAS state:
This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.
This has been removed in HiveOS 6.6r1.
This issue may also have been caused by the Acct-Session-Id attribute being missed from the Accounting-On and Accounting-Off forms of RADIUS accounting packets that Aerohive's access points were sending that the RFC mandates be present.
If so, that issue was resolved starting with HiveOS 6.1r3 after I raised the non-compliance of the behaviour via a support case.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...