Comware

 View Only
last person joined: 4 days ago 

Expand all | Collapse all

Cisco ISE and HPE FF 5130HI reauthentication problem

This thread has been viewed 19 times
  • 1.  Cisco ISE and HPE FF 5130HI reauthentication problem

    Posted Jul 07, 2022 11:14 AM
    Hello

    We are having problems with Cisco ISE and HPE 5130 HI dot1x reauthentication

    When reauth timer expires, user does reauthentication and we are getting two errors and users gets dropped into guest network.

    Cisco errors are:

    11051 RADIUS packet contains invalid state attribute
    5440 Endpoint abandoned EAP session and started new

    Cisco TAC says that this is because HPE switch sends RADIUS states attribute when Cisco ISE doesn't expects one.

    I've tried adding Termination-Action = 1 (RADIUS-request) when sending Access-Accept (I've found this in Cisco bug document), but this didn't helped.

    We do not have similar problems with Comware v5 ( we have lots of 5120SI/EI switches)

    We are running latest 5130HI firmware

    Switch config looks like this

    dot1x authentication-method eap
    dot1x quiet-period
    dot1x retry 3
    dot1x timer quiet-period 10
    dot1x timer supp-timeout 10
    dot1x timer tx-period 10
    #
    port-security enable
    port-security mac-move permit

    radius scheme 802.1x
    primary authentication x.x.x.1
    primary accounting x.x.x.1
    secondary authentication x.x.x.2
    secondary accounting x.x.x.2
    accounting-on enable
    key authentication cipher aaa
    key accounting cipher aaa
    user-name-format keep-original
    #

    domain 802.1x
    authentication lan-access radius-scheme 802.1x
    authorization lan-access radius-scheme 802.1x
    accounting lan-access radius-scheme 802.1x
    #

    interface GigabitEthernet1/0/1
    port link-type hybrid
    port hybrid vlan 1 untagged
    voice-vlan 854 enable
    mac-vlan enable
    stp edged-port
    apply poe-profile index 1
    undo dot1x handshake
    dot1x mandatory-domain 802.1x
    undo dot1x multicast-trigger
    dot1x unicast-trigger
    dot1x critical vlan 802
    dot1x critical eapol
    mac-authentication domain 802.1x
    mac-authentication guest-vlan 702
    mac-authentication host-mode multi-vlan
    undo mac-authentication offline-detect enable
    port-security port-mode userlogin-secure-or-mac-ext
    dhcp snooping binding record
    #

    Any ideas how to fix this?


  • 2.  RE: Cisco ISE and HPE FF 5130HI reauthentication problem

    Posted Jul 08, 2022 10:02 AM
    i'm facing the same problem with similar configs! Cisco TAC says the same thing HPE switch sends RADIUS states attribute when Cisco ISE doesn't expects one.

    i'm searching for the solution too... Anyone to help us !? 



  • 3.  RE: Cisco ISE and HPE FF 5130HI reauthentication problem

    Posted Jul 22, 2022 11:22 AM
    Hello

    After poking around I've tried this configuration for radius scheme:

    sys
    radius scheme <name>
    attribute translate
    attribute reject Class sent

    save safely force

    I've applied this configuration in my LAB and one production switch and there are no errors as of that moment.