Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7136
Views
9
Helpful
4
Replies

ISE AD Authentication Stop working for Wireless

sachin.sg
Level 1
Level 1

‎01-09-2014 04:18 AM - edited ‎03-10-2019 09:15 PM

Can Any One help with Suggestion

We Face issue for AD authentication for Wireless which stop authenting users and after verifying the reports below details are seen . Any way After restarting the ISE the AD authentication started working for Wireless ...

But need to understand the below error , any fix can be done to prevent it from re-occuring

Failure Reason :12953 Received EAP Packet from middle of conversion that contains a session on this PSN that does not exit

Resolution : Verify Known NAD issues and published bugs. Verify NAD configuration .Turn delog on DEBUG level to troubleshoot the problem

Root cause :  Session was not found on this PSN . Possible unexpected NAD behavior . Session belongs to this PSN according to hostname but may has already been reaped by timeout . This packet arrived too late

ISE version is 1.2

Wireless Client OS are Win7 64 bit

AD 2012

5 people had this problem
Labels:
0 Helpful
4 Replies 4

Juliano Luz
Level 1
Level 1

‎06-16-2014 11:55 AM

Hi, Sachin,

 

Did you solve this problem? I´m getting the same message from ISE when Cisco Wireless IP phones try to authenticate agaist wireless controller. 

 

0 Helpful

Gurudatt Pai
Cisco Employee
Cisco Employee

‎06-18-2014 11:47 PM

Sachin,

The problem seems that ISE does not have the session for the endpoint that is trying to authenticate.

There could be several reasons here, if it is a wireless client, the endpoint may be roaming between different WLC's creating different sessions each time and the PSN in question may not have that session.

This could also be a Load blancer if you have one that might be spraying radius sessions to different PSN without the correct config.

You will need to track a particular session and see why you're seeing that behavior. Enable debug for prrt-jni and runtime-AAA, wait until you find one session where you're seeing this issue, download the prrt.logs and track the session.

I strongly suspect Wireless roaming issues here or Accounting issues on the NAD.

 

Regards,

Gurudatt

 

Gurudatt

0 Helpful

cisco
Level 1
Level 1

‎05-08-2015 07:16 AM

You might hit the bug id CSCur94336.

My workaround was not to use "aaa accounting dot1x default start-stop group radius".

When the Windows computer switch between computer and user authentication, the Cisco switch sends an accounting stop for the previous sessions (computer or user), thus Cisco ISE understand it wrongly and cancel the session.

Try to do "no aaa accounting dot1x default start-stop group radius" and this could solve the issue.

Fernand DOUBI
Level 1
Level 1
In response to cisco

‎05-14-2015 04:46 PM

Hello credocom!!

Thank you. Your solution works for me, thus avoiding me to upgrade the IOS on switches (actually 65).

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents