ISE cannot validate the Authenticator field in the header of the RADIUS Accounting-Request packet. Note that the Authenticator field should not be confused with the Message-Authenticator RADIUS attribute. Ensure that the RADIUS Shared Secret configured on the AAA client matches that configured for the selected Network Device on the ISE server. Also, ensure that the AAA client has no hardware problems or problems with RADIUS compatibility.
we have removed the shared secrete and reapplied but still this error shows up.
Symptom: When aaa dot1x accounting and trustsec accounting are both enabled, RADIUS accounting does not work. When the ISE receives and accounting packet, it receives the following error.
Conditions: The following command needs to be present on the device.
aaa accounting dot1x default start-stop group radius
Workaround: Two workarounds:
1. Disable aaa accounting :
no aaa accounting dot1x default start-stop group radius
2. Define two AAA server groups: one with PAC for TrustSec and the other without PAC for non-TrustSec.
Below is a snippet of sample configuration for Catalyst 3850 03.03.02SE, tested ok with ISE:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Define two radius servers; !! one uses ports 1645 and 1646 and !! the other uses PAC and ports 1812 and 1813 radius server ise.demo.local address ipv4 10.1.100.21 auth-port 1645 acct-port 1646 automate-tester username radius-test ignore-acct-port idle-time 5 key ISEc0ld ! radius server ise.demo.local+pac address ipv4 10.1.100.21 auth-port 1812 acct-port 1813 pac key ISEc0ld ! aaa group server radius ISE+PAC server name ise.demo.local+pac ! aaa group server radius ISE server name ise.demo.local ! aaa authentication dot1x default group ISE aaa authentication dot1x authc-dot1x group ISE aaa authorization network default group ISE aaa authorization network cts-mlist group ISE+PAC aaa accounting update newinfo periodic 15 aaa accounting dot1x default start-stop group ISE aaa accounting network acct-net start-stop group ISE ! ! aaa server radius dynamic-author client 10.1.100.21 server-key ISEc0ld auth-type any ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf upper-case radius-server attribute 31 send nas-port-detail ! ! aaa new-model aaa session-id common ! ! !!!! CTS configuration !!!!!!!!! cts authorization list cts-mlist cts sgt 2 cts logging verbose cts role-based enforcement cts role-based enforcement vlan-list 10,20,99-100,200
Further Problem Description: The documentation guide for trustsec shows that aaa accounting is enabled, however once that is done the RADIus accounting is broken and we see the following error when the ISE receives an accounting packet :
11038 RADIUS Accounting-Request header contains invalid Authenticator field
aaa group server radius ISE server name MEGATRON ip radius source-interface Loopback0
aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa authorization network CTS group ISE aaa authorization auth-proxy default group ISE aaa accounting dot1x default start-stop group ISE aaa accounting system default start-stop group ISE cts authorization list CTS
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...