Hello
We are having problems with Cisco ISE and HPE 5130 HI dot1x reauthentication
When reauth timer expires, user does reauthentication and we are getting two errors and users gets dropped into guest network.
Cisco errors are:
11051 RADIUS packet contains invalid state attribute5440 Endpoint abandoned EAP session and started newCisco TAC says that this is because HPE switch sends RADIUS states attribute when Cisco ISE doesn't expects one.
I've tried adding Termination-Action = 1 (RADIUS-request) when sending Access-Accept (I've found this in Cisco bug document), but this didn't helped.
We do not have similar problems with Comware v5 ( we have lots of 5120SI/EI switches)
We are running latest 5130HI firmware
Switch config looks like this
dot1x authentication-method eap
dot1x quiet-period
dot1x retry 3
dot1x timer quiet-period 10
dot1x timer supp-timeout 10
dot1x timer tx-period 10
#
port-security enable
port-security mac-move permit
radius scheme 802.1x
primary authentication x.x.x.1
primary accounting x.x.x.1
secondary authentication x.x.x.2
secondary accounting x.x.x.2
accounting-on enable
key authentication cipher aaa
key accounting cipher aaa
user-name-format keep-original
#
domain 802.1x
authentication lan-access radius-scheme 802.1x
authorization lan-access radius-scheme 802.1x
accounting lan-access radius-scheme 802.1x
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid vlan 1 untagged
voice-vlan 854 enable
mac-vlan enable
stp edged-port
apply poe-profile index 1
undo dot1x handshake
dot1x mandatory-domain 802.1x
undo dot1x multicast-trigger
dot1x unicast-trigger
dot1x critical vlan 802
dot1x critical eapol
mac-authentication domain 802.1x
mac-authentication guest-vlan 702
mac-authentication host-mode multi-vlan
undo mac-authentication offline-detect enable
port-security port-mode userlogin-secure-or-mac-ext
dhcp snooping binding record
#
Any ideas how to fix this?