Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15466
Views
5
Helpful
6
Replies

ISE Radius accounting

Lance Wendel
Level 1
Level 1

‎04-30-2014 05:28 AM - edited ‎03-10-2019 09:40 PM

Hi all,

 

we are seen some error messages as below

 

11038 RADIUS Accounting-Request header contains invalid Authenticator field."

ISE cannot validate the Authenticator field in the header of the RADIUS Accounting-Request packet. Note that the Authenticator field should not be confused with the Message-Authenticator RADIUS attribute.
Ensure that the RADIUS Shared Secret configured on the AAA client matches that configured for the selected Network Device on the ISE server. Also, ensure that the AAA client has no hardware problems or problems with RADIUS compatibility.

 

we have removed the shared secrete and reapplied  but still this error shows up.

any idea?

thanks

Lance

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Saurav Lodh
Level 7
Level 7

‎05-01-2014 04:23 AM

Please remove the WLC from ISE, register there after rebooting the WLC once.

0 Helpful

nohfendi1
Level 1
Level 1
In response to Saurav Lodh

‎10-26-2017 01:06 AM

Dear Support 

 

I got the same problem.

What the workaround for this case ?

I was try to re enter the secret-shared but the problem still occurs.

Thanks

Muhamad

0 Helpful

mohanak
Cisco Employee
Cisco Employee

‎06-12-2014 04:22 AM

CSCtw56571




Symptom:
When aaa dot1x accounting and trustsec accounting are both enabled, RADIUS accounting does not work. When the ISE receives and accounting packet, it receives the following error.

Conditions:
The following command needs to be present on the device.

aaa accounting dot1x default start-stop group radius

Workaround:
Two workarounds:

1. Disable aaa accounting :

no aaa accounting dot1x default start-stop group radius


2. Define two AAA server groups: one with PAC for TrustSec and the other without PAC for non-TrustSec.

Below is a snippet of sample configuration for Catalyst 3850 03.03.02SE, tested ok with ISE:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! Define two radius servers;
!! one uses ports 1645 and 1646 and
!! the other uses PAC and ports 1812 and 1813
radius server ise.demo.local
address ipv4 10.1.100.21 auth-port 1645 acct-port 1646
automate-tester username radius-test ignore-acct-port idle-time 5
key ISEc0ld
!
radius server ise.demo.local+pac
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813
pac key ISEc0ld
!
aaa group server radius ISE+PAC
server name ise.demo.local+pac
!
aaa group server radius ISE
server name ise.demo.local
!
aaa authentication dot1x default group ISE
aaa authentication dot1x authc-dot1x group ISE
aaa authorization network default group ISE
aaa authorization network cts-mlist group ISE+PAC
aaa accounting update newinfo periodic 15
aaa accounting dot1x default start-stop group ISE
aaa accounting network acct-net start-stop group ISE
!
!
aaa server radius dynamic-author
client 10.1.100.21 server-key ISEc0ld
auth-type any
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
!
!
aaa new-model
aaa session-id common
!
!
!!!! CTS configuration !!!!!!!!!
cts authorization list cts-mlist
cts sgt 2
cts logging verbose
cts role-based enforcement
cts role-based enforcement vlan-list 10,20,99-100,200

Further Problem Description:
The documentation guide for trustsec shows that aaa accounting is enabled, however once that is done the RADIus accounting is broken and we see the following error when the ISE receives an accounting packet :

11038 RADIUS Accounting-Request header contains invalid Authenticator field

Gurudatt Pai
Cisco Employee
Cisco Employee

‎06-18-2014 11:55 PM

On the Network device from which you're receiving these Accounting packets, ensure that both the Authentication server and Accounting server is set to the same ISE IP address.

 

Regards,

 

Gurudatt

0 Helpful

fashour
Level 1
Level 1

‎12-04-2015 01:04 PM

Just disabling the accounting tester fixed the same issue for me without adding 2 radius groups.

radius server MEGATRON
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 automate-tester username ise-check ignore-acct-port idle-time 5
 pac key !radius-key!

aaa group server radius ISE
 server name MEGATRON
 ip radius source-interface Loopback0

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network CTS group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
cts authorization list CTS

0 Helpful

sanket
Cisco Employee
Cisco Employee

‎03-25-2020 01:31 AM

Make sure your ISE->NetworkDevice->WLC password is same as your WLC->Security->radius->Accounting->ServerAddress(x.y.z.w) password.

 

Thanks,

Sanket 

 

0 Helpful
Customers Also Viewed These Support Documents