Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

Similar Messages

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"

• Cisco ISE AD (Windows Server 2013) Authentication Problem

  Background:
  Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
  Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
  Problem:
  Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
  Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
  xxdc01.xx.com (10.21.3.1)
  Pinged:0 Mins Ago
  State:down
  xxdc02.xx.com (10.21.3.2)
  Pinged:0 Mins Ago
  State:down
  xxdc01.xx.com
  Last Success:Thu Jan  1 10:00:00 1970
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:0
  Failures:11006
  xxdc02.xx.com
  Last Success:Mon Mar 11 09:43:31 2013
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:25
  Failures:11006
  Domain Controller: xxdc02.xx.com:389
      Domain Controller Type: Unknown DC Functional Level: 5
      Domain Name:            xx.COM
      IsGlobalCatalogReady:   TRUE
      DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
      ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
  Action Taken:
  Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
  2)     Tested wireless authentication using EAP-FAST but same problem occurs.
  3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24430  Authenticating user against Active Directory
  24444  Active Directory operation has failed because of an unspecified error in the ISE
  4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
  5)     Tested wireless on different laptos and mobile phones with same error
  6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
  7)     Restarted ISE services
  8)     Rejoin domain on Cisco ISE
  9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
  10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
  Other possibilities/action:
  1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
  2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
  Anyone out there experienced something similar of have any ideas on why this is happening?
  Thanks.
  Update:
  1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
  2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
  This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

  Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
  Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

• When trying to launch iTunes it freezes and I get the message: "Authentication Required. To access this site you need to log in to area "100656 on mellor.co. Your password will be sent in the clear." I am unable to enter a uname or password. Please help!!

  When trying to launch iTunes on my PC running Windows 7 it freezes and I get the message: "Authentication Required. To access this site you need to log in to area "100656 on mellor.co. Your password will be sent in the clear." Because iTunes is frizen at this point I am unable to enter a username or password, or in fact do anything. Please help!! I have uninstalled and reinstalled iTunes numerous times as well as attempting all of the fixes that I could find on-line and still no joy.

  That sounds extremely phishy to me... iTunes does not require authentication simply to launch it. I suspect you've got something nasty intercepting network traffic. That server may be set up to log the Apple ID that you enter so it can be used fraudulently. Try ComboFix from Bleeping Computer.
  FWIW the domain mellor.co is registered to an accountants in Knutsford, Cheshire, UK, and produces the same authentication request if visited with a browser. There is no sign of a "real" publicly visible website at that domain which is a somewhat odd.
  tt2

• [svn] 1743: In the process of changing the messaging authentication tests to run over individual channels .

  Revision: 1743
  Author: [email protected]
  Date: 2008-05-15 12:26:11 -0700 (Thu, 15 May 2008)
  Log Message:
  In the process of changing the messaging authentication tests to run over individual channels. Before the tests were just running over the first/default channel in the destination. Now the tests will be hardcoded to run over a particular channel. In this checkin I am removing the existing authentication tests and checking in tests that run over a polling amf channel. Tests for other channels are coming soon.
  Modified Paths:
  blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/messaging-config.mods.xml
  Added Paths:
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/JMSAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/JMSAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/JMSAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthenticationTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthenticationTest2.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MultiTopicMessagingAuthConSubscribeTest.mxml
  Removed Paths:
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthSendSubscribeConstraintTest_Streaming.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthenticationTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthenticationTest2.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MultiTopicMessagingAuthConSubscribeTest.mxml

  Remember that Arch Arm is a different distribution, but we try to bend the rules and provide limited support for them.  This may or may not be unique to Arch Arm, so you might try asking on their forums as well.

• Airport keeps giving me the message that I entered an invalid password for my wireless network.

  When I use network preferences to connect wirelessly to my wifi home network and enter the correct password that works on my iPad and other computers, I keep getting the message that I entered an invalid password. I have checked my keychain and made certain the correct password in saved there. Any suggestions?

  It is asking for your security phrase not the router's password, in case you are entering the wrong password. If you are sure you are entering the correct phrase, you can reset your router to factory defaults then set up your security again.

• I am trying to install Adobe Premiere Elements 9 without success. I successfully installed Photoshop Elements 9 without a problem. The message I am getting is 'Invalid Unicode file - .\Autoplay\LangData\en_US\lang.dat'. Anyone out there who can help pleas

  I am trying to install Adobe Premiere Elements 9 without success. I successfully installed Photoshop Elements 9 without a problem. The message I am getting is 'Invalid Unicode file - .\Autoplay\LangData\en_US\lang.dat'. Anyone out there who can help please?

  click setup, not autoplay.

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• I changed nothing in my email account but can no longer send emails on my talktalk account and get the message, "authentication required." I am running Mavericks on my MacBook Pro. I can receive messages on talktalk. Can send

  I changed nothing in my email account, talktalk.net, but can no longer send (server's response, "authentication required) No problem receiving, I am using Mavericks on my MacBookPro. No problem using Cloud, but I want to use my talktalk account as before the problem
  I can send and receive using talktalk without any problems using my iPod and iPad.
  I would be most grateful for help - in simple form, please, I am an 80 plus female Mac lover!

  Hello Hazel139,
  I found this in one of the similar post hope it helps you.
         Level 6 (14,190 points)             
  X423424X 
  This helped meRe: Problem SENDING email     Jun 17, 2012 1:40 PM    (in response to Casanewton) 
  The error I see is you did not specify the proper authentication for the smtp server.
  In the Mail preferences for the account, smtp popup, select Edit SMTP Server List.  A sheet will drop down.  Select Advanced tab on that sheet.  You should, I assume, set the Authentication to password, and set the proper username and password.  That's where the poper would be set if 587 is not the one you should be using.  Maybe it is.  I only bring it up since I see it trying to use port 587.
  If you got this stuff already set correctly then I don't know.  Mail has a problem in your setup.  Maybe delete the account and recreate it from scratch.
  https://discussions.apple.com/message/18670442#18670442

• When I try to download the latest version of iTunes on my iPod Classic I get the message that "iTunes has an invalid signature" and that "Content was blocked because it was not signed by a valid security certificate.  Anyone know how to fix this?

  When I try to download the latest version of iTunes from apple.com, I get the message "Content was blocked because it was not signed by a valid security certificate."When I open iTunes and try to download the latest version there, I get the message "iTunes has an invalid signature.  The download has been removed."  I have also gotten an Internet Script Error stating that an error has occured in Line 0, Char O and that "Access is denied to images.apple.com/global/scripts/lib/iepngfix.htc."  This problem has never occurred with earlier versions of ITunes.  Anyone know how to fix this problem? 

  Are you downloading iTunes form an Apple website or somewhere else? If the answer is somewhere else, try downloading it from Apple. Click on iTunes in the black menu bar above and go from there.
  Let us know what happens.

• System log query is flooded with the message.. WindowServer[]: WSSetTrackingAreaEnabled : Invalid tracking area

  Hello apple community (: quick question
  my system log query is flooded with the message..
  "8/29/14 12:10:12.258 PM WindowServer[176]: WSSetTrackingAreaEnabled : Invalid tracking area 0x61000089f220"
  it has shown me after i run Mavericks Cache Cleaner to clean my computer. in my Activity Log, WindowServer[176] is taking up anywhere from 5 - 20 cpu at a time. (maybe more haven't watched it for too long)
  what do i do fix this? i recently updated to OS X and i haven't payed attention to the errors until now (i'm an idiot i know..) so i don't exactly know when it all started happening. sorry all just hoping someone will have an idea.
  -Ali

  What functional problem do you have, if any? Log messages are not a problem in themselves.

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• Cisco ise 1.1.4 no open radius port

  Hi,
  I have a big issue with my ise appliance configured with the last version, which is 1.1.4
  I have configured one network device but she doesn't want communicate with ise. The radius communication doesn't works.
  In fact, we see when we do "sh ports" on the ise that the radius port are not open.
  I ever installed one ise appliance in 1.1.3 and it works.
  A idea ????? please
  thanks for advanced

  Hi,
  Can you post the output of your show ports? Also is this in a distributed setup or is this a standalone node.
  here are the port information on my psn -
  udp: 10.250.250.183:58626, 10.250.250.183:1812, 10.250.250.183:1813, 10.250.250.183:1700, 0.0.0.0:60599, 10.250.250.183:3799, 10.250.250.183:1645, 10.250.250.183:1646,
  From my admin node -
  10.250.250.185:1700, 10.250.250.185:3799, 10.250.250.185:64217, 0.0.0.0:20057, 0.0.0.0:50140
  If this is a standalone node, can you go to the deployment section and make sure that all checkboxes are selected, in particular the third box "Policy Service"
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE: External RADIUS Server

  Hi,
  I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
  So, how can I use this external RADIUS server to process my request ?
  Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
  If anyone use this, please suggest this to me.
  Thanks,
  Pongsatorn

  Defining an External RADIUS Server
  The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
  The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
  To create an external RADIUS server, complete the following steps:
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
  Step 2 Click Add to add an external RADIUS server.
  Step 3 Enter the values as described:
  •Name—(Required) Enter the name of the external RADIUS server.
  •Description—Enter a description of the external RADIUS server.
  •Host IP—(Required) Enter the IP address of the external RADIUS server.
  •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
  •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
  •Key Encryption Key—This key is used for session encryption (secrecy).
  •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
  •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
  –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
  –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
  •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
  •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
  •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
  •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
  Step 4 Click Submit to save the external RADIUS server configuration.