We haven't checked the integration of PTP 670 with ISE.
PTP 670 is compatible with the standard RADIUS protocol, but ISE is a supremely flexible and sophisticated product, and it's not surprising that it is difficult to configure.
If you are able to capture the RADIUS interactions using WireShark, we'd be happy to take a look at the traces.
Actually not matter which attribute is send (1,2 or 3) the user is always logged as Read-Only user as if the attribute was not well received by the radio.
The Cambium vendor-specific attribute (VSA) in the Access Accept message from Cisco ISE appears to be correctly formatted in the PCAP provided, and identical to the VSA when we use Free RADIUS. At the moment, it is not clear why the VSA does not have the expected effect when the message is generated in ISE. We are investigating further, and will provide an update here when we have some answers.
We have a solution to this problem. It will be fixed in System Release 670-02-65.
The problem arises because ISE sends a State (type 24) TLV with a 65 byte variable. 670-02-60 expects a variable up to 64 bytes. In 670-02-65, we have extended the maximum size to 128 bytes.
The changes in 670-02-65 will ensure that you can use the Cisco ISE with PTP 670. We plan to include the same fix in PTP 650 in a future release. We expect that the same problem will arise in PTP 300/500/600/800 and here we don't have an opportunity for a bug fix.
It would be good to know if the ISE can be configured to avoid sending the State attribute, or at least to send a value that is not more than 64 bytes? Do you have any experience here?
I understand that you are interested in removing the State attribute (24) from the Radius Access-accept packet and I will do my best to help you. Unfortunately we can't disable the default radius attributes. However, there is a workaround that you may find suitable. The State attribute in Radius is applicable only to CHAP challenges. I went through the packet capture you provided and I noticed that you are using MS-CHAP2. With this in mind, you can avoid including the State attribute in the packets simply by using a different type of protocol than CHAP. Please, refer to the following document, Table 32 RADIUS IETF Attributes (continued) https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.pdf
I'm a bit puzzled by the Cisco response. In the table referenced, we have this:
State - Allows state information to be maintained between the network access server and the RADIUS server. This attribute is applicable only to CHAP challenges.
As they point out, we are using MS-CHAPv2 here. I guess they are saying that MS-CHAPv2 is a variant of CHAP, so the State attribute is included with MS-CHAPv2 just like plain old CHAP. In this case, it appears that there is no solution available by configuring the ISE server.
670-02-65 has been released with this as a bug fix, so at least the problem should have been solved for PTP 670.