Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE AD Authentication Stop working for Wireless

Can Any One help with Suggestion

We Face issue for AD authentication for Wireless which stop authenting users and after verifying the reports below details are seen . Any way After restarting the ISE the AD authentication started working for Wireless ...

But need to understand the below error , any fix can be done to prevent it from re-occuring

Failure Reason :12953 Received EAP Packet from middle of conversion that contains a session on this PSN that does not exit

Resolution : Verify Known NAD issues and published bugs. Verify NAD configuration .Turn delog on DEBUG level to troubleshoot the problem

Root cause :  Session was not found on this PSN . Possible unexpected NAD behavior . Session belongs to this PSN according to hostname but may has already been reaped by timeout . This packet arrived too late

ISE version is 1.2

Wireless Client OS are Win7 64 bit

AD 2012

Everyone's tags (1)
4 REPLIES
New Member

Hi, Sachin, Did you solve

Hi, Sachin,

 

Did you solve this problem? I´m getting the same message from ISE when Cisco Wireless IP phones try to authenticate agaist wireless controller. 

 

Cisco Employee

Sachin,The problem seems that

Sachin,

The problem seems that ISE does not have the session for the endpoint that is trying to authenticate.

There could be several reasons here, if it is a wireless client, the endpoint may be roaming between different WLC's creating different sessions each time and the PSN in question may not have that session.

This could also be a Load blancer if you have one that might be spraying radius sessions to different PSN without the correct config.

You will need to track a particular session and see why you're seeing that behavior. Enable debug for prrt-jni and runtime-AAA, wait until you find one session where you're seeing this issue, download the prrt.logs and track the session.

I strongly suspect Wireless roaming issues here or Accounting issues on the NAD.

 

Regards,

Gurudatt

 

Gurudatt

New Member

You might hit the bug id

You might hit the bug id CSCur94336.

My workaround was not to use "aaa accounting dot1x default start-stop group radius".

When the Windows computer switch between computer and user authentication, the Cisco switch sends an accounting stop for the previous sessions (computer or user), thus Cisco ISE understand it wrongly and cancel the session.

Try to do "no aaa accounting dot1x default start-stop group radius" and this could solve the issue.

New Member

Hello credocom!!Thank you.

Hello credocom!!

Thank you. Your solution works for me, thus avoiding me to upgrade the IOS on switches (actually 65).

Thanks,

2630
Views
9
Helpful
4
Replies