OPERATIONAL DEFECT DATABASE
...
...
Intermittently a switch servicing clients via dot1x and MAB will mark the active RADIUS server DEAD: 038547: Oct 25 02:42:18.531 CDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 203.0.113.10:1812,1813 is not responding. 038560: Oct 25 03:07:18.681 CDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 203.0.113.10:1812,1813 is not responding. 038589: Oct 25 03:32:18.701 CDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 203.0.113.10:1812,1813 is not responding.
The RADIUS server is use is Identity Services Engine. The radius key is set to use a PAC like: radius server ise201 address ipv4 203.0.113.10 auth-port 1812 acct-port 1813 pac key MAB and 802.1x need to be configured on the port to hit this issue.
Switch to pre-shared key for dot1x and mab authentications: aaa group server radius ise201-noPAC server name ise201-noPAC aaa group server radius ise201 server name ise201 ! aaa authentication dot1x default group ise201-noPAC aaa authorization network default group ise201-noPAC aaa authorization network cts-mlist group ise201 aaa accounting dot1x default start-stop group ise201-noPAC ! cts authorization list cts-mlist ! radius server ise201 address ipv4 203.0.113.10 auth-port 1812 acct-port 1813 pac key ! radius server ise201-noPAC address ipv4 203.0.113.10 auth-port 1645 acct-port 1646 key This will allow Trustsec to use the PAC key which is required while dot1x authentications use the shared-key.
Whether or not this is seen depends on whether or not there is a miss-configure supplicant attached to the switch and is attempting to authenticate. Here is the overview of the order of events to hit this: 1) A client with a miss-configured supplicant connects and successfully authenticates via MAB either after failing 802.1x or timing out of 802.1x. It could also authenticate via MAB first. 2) The supplicant starts a new 802.1x authentication but stops responding. 3) Within 120 seconds MAB sends an accounting stop. At this point since there is an active 802.1x authentication in process ISE processes the accounting stop differently and sends its response with the shared-secret instead of the PAC.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
