We Face issue for AD authentication for Wireless which stop authenting users and after verifying the reports below details are seen . Any way After restarting the ISE the AD authentication started working for Wireless ...
But need to understand the below error , any fix can be done to prevent it from re-occuring
Failure Reason :12953 Received EAP Packet from middle of conversion that contains a session on this PSN that does not exit
Resolution : Verify Known NAD issues and published bugs. Verify NAD configuration .Turn delog on DEBUG level to troubleshoot the problem
Root cause : Session was not found on this PSN . Possible unexpected NAD behavior . Session belongs to this PSN according to hostname but may has already been reaped by timeout . This packet arrived too late
The problem seems that ISE does not have the session for the endpoint that is trying to authenticate.
There could be several reasons here, if it is a wireless client, the endpoint may be roaming between different WLC's creating different sessions each time and the PSN in question may not have that session.
This could also be a Load blancer if you have one that might be spraying radius sessions to different PSN without the correct config.
You will need to track a particular session and see why you're seeing that behavior. Enable debug for prrt-jni and runtime-AAA, wait until you find one session where you're seeing this issue, download the prrt.logs and track the session.
I strongly suspect Wireless roaming issues here or Accounting issues on the NAD.
My workaround was not to use "aaa accounting dot1x default start-stop group radius".
When the Windows computer switch between computer and user authentication, the Cisco switch sends an accounting stop for the previous sessions (computer or user), thus Cisco ISE understand it wrongly and cancel the session.
Try to do "no aaa accounting dot1x default start-stop group radius" and this could solve the issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...