Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Radius accounting

Hi all,

 

we are seen some error messages as below

 

11038 RADIUS Accounting-Request header contains invalid Authenticator field."

ISE cannot validate the Authenticator field in the header of the RADIUS Accounting-Request packet. Note that the Authenticator field should not be confused with the Message-Authenticator RADIUS attribute.
Ensure that the RADIUS Shared Secret configured on the AAA client matches that configured for the selected Network Device on the ISE server. Also, ensure that the AAA client has no hardware problems or problems with RADIUS compatibility.

 

we have removed the shared secrete and reapplied  but still this error shows up.

any idea?

thanks

Lance

4 REPLIES

Please remove the WLC from

Please remove the WLC from ISE, register there after rebooting the WLC once.

Gold

CSCtw56571Symptom:When aaa

CSCtw56571




Symptom:
When aaa dot1x accounting and trustsec accounting are both enabled, RADIUS accounting does not work. When the ISE receives and accounting packet, it receives the following error.

Conditions:
The following command needs to be present on the device.

aaa accounting dot1x default start-stop group radius

Workaround:
Two workarounds:

1. Disable aaa accounting :

no aaa accounting dot1x default start-stop group radius


2. Define two AAA server groups: one with PAC for TrustSec and the other without PAC for non-TrustSec.

Below is a snippet of sample configuration for Catalyst 3850 03.03.02SE, tested ok with ISE:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! Define two radius servers;
!! one uses ports 1645 and 1646 and
!! the other uses PAC and ports 1812 and 1813
radius server ise.demo.local
address ipv4 10.1.100.21 auth-port 1645 acct-port 1646
automate-tester username radius-test ignore-acct-port idle-time 5
key ISEc0ld
!
radius server ise.demo.local+pac
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813
pac key ISEc0ld
!
aaa group server radius ISE+PAC
server name ise.demo.local+pac
!
aaa group server radius ISE
server name ise.demo.local
!
aaa authentication dot1x default group ISE
aaa authentication dot1x authc-dot1x group ISE
aaa authorization network default group ISE
aaa authorization network cts-mlist group ISE+PAC
aaa accounting update newinfo periodic 15
aaa accounting dot1x default start-stop group ISE
aaa accounting network acct-net start-stop group ISE
!
!
aaa server radius dynamic-author
client 10.1.100.21 server-key ISEc0ld
auth-type any
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
!
!
aaa new-model
aaa session-id common
!
!
!!!! CTS configuration !!!!!!!!!
cts authorization list cts-mlist
cts sgt 2
cts logging verbose
cts role-based enforcement
cts role-based enforcement vlan-list 10,20,99-100,200

Further Problem Description:
The documentation guide for trustsec shows that aaa accounting is enabled, however once that is done the RADIus accounting is broken and we see the following error when the ISE receives an accounting packet :

11038 RADIUS Accounting-Request header contains invalid Authenticator field
Cisco Employee

On the Network device from

On the Network device from which you're receiving these Accounting packets, ensure that both the Authentication server and Accounting server is set to the same ISE IP address.

 

Regards,

 

Gurudatt

New Member

Just disabling the accounting

Just disabling the accounting tester fixed the same issue for me without adding 2 radius groups.

radius server MEGATRON
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 automate-tester username ise-check ignore-acct-port idle-time 5
 pac key !radius-key!

aaa group server radius ISE
 server name MEGATRON
 ip radius source-interface Loopback0

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network CTS group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
cts authorization list CTS

1508
Views
5
Helpful
4
Replies