Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE v1.2 - Status-Server - 5405 RADIUS Request dropped

Just a note:

Some devices send regular RADIUS status messages;

The ISE drops these as 

Event: 5405 RADIUS Request dropped

Failure Reason: 11031 RADIUS packet type is not a valid Request

Root cause: RADIUS packet type is not a valid Request.

Wireshark shows:-

Code: Status-Server (12)
Attribute Value Pairs:
AVP: l=6  t=Service-Type(6): Shell-User(6)
AVP: l=18  t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
AVP: l=6  t=NAS-IP-Address(4): 10.1.1.1

I believe that ISE should accept and respond to these messages RFC5997  up2866.

A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port).  An Access-Challenge response is NOT RECOMMENDED.  An Access-Reject response MAY be used.

 

Everyone's tags (1)
2 REPLIES
Cisco Employee

Silly question but you do

Silly question but you do have the NAS added in ISE's database?

Thank you for rating helpful posts!
New Member

NenoNothing to do with that

Neno

Nothing to do with that,

The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.

However they send keepalives to validate the RADIUS server is still there.  ISE doesn't implement this and ISE logs get full of rejections.  The end devices are unable to prioritise which ISE to used based on up/down.  But still work.

 

This was just a note to everyone so they are aware of the issue,

 

498
Views
0
Helpful
2
Replies
CreatePlease login to create content