topic Hi Stewart - Did you ever in Network Access Control

Cisco ISE Radius Proxy

stewartgray — Mon, 11 Mar 2019 07:04:49 GMT

Hello, I'm trying to setup our ISE cluster so (in addition to what it already does) it can act as a radius proxy. I have read a number of guides and have:

1) Defined the external Radius server

2) Created an Radius Server Sequence

3) Defined the Radius Server Sequence in a policy (where you usually select allowed protocols).

When using a radius client to test the access, I can confirm it is matching the authentication policy that has the radius server sequence. checking the logs I can see an error stating:

Event 5405 RADIUS Request dropped
Failure Reason 11353 No more external RADIUS servers; can't perform failover

It sounds like an issue between the ISE and the radius servers defined right? I have done packet captures on the radius servers and there is no traffic from the ISE's whatsoever. They simply are not forwarding these requests.

Am I missing something?

We are running 2.0.1.130. 2 nodes as admin, 2 as policy.

Any help or suggestions would be greatly appreciated.

Firewalls between your ISE

jan.nielsen — Thu, 15 Sep 2016 20:50:24 GMT

Firewalls between your ISE servers and the other radius servers? Routing issues? NAT'ing?

Are you running old style ports 1645 or 1812?

No firewalls or NAT. ISE,

stewartgray — Thu, 15 Sep 2016 21:25:01 GMT

No firewalls or NAT. ISE, Radius Proxy, and Radius Client are all in our LAN environment. Routing verified by the fact that each system can ping each other.

I tried both the old and new ports and this doesn't make any difference.

Ok, Actually from looking in

jan.nielsen — Thu, 15 Sep 2016 22:12:55 GMT

Ok, Actually from looking in the log you attached it looks like ISE is actually getting a response, but it's invalid. Maybe try to use the ISE servers tcpdump function, see what ISE thinks is going on. Also double check secret keys in both ends.

I agree with Jan.

Marvin Rhoads — Fri, 16 Sep 2016 00:34:04 GMT

I agree with Jan.

The two RADIUS servers are talking - just not establishing a valid connection which is a prerequisite for any authentication. A packet capture should highlight the specific issue.

Have you contacted the admin of the external RADIUS server to check what they are seeing?

I'm the admin of the servers,

stewartgray — Fri, 16 Sep 2016 04:48:46 GMT

I'm the admin of the servers, and my initial post stated that I have already done packet captures. The only time I see traffic on the external radius server is when I run a ping - I see icmp packets straight away. Otherwise, there is no traffic from ISE - not during creation of the external radius server object or moments where it should be forwarding these. Cheers

It's not possible that ISE

stewartgray — Fri, 16 Sep 2016 04:51:52 GMT

It's not possible that ISE has received a response, certainly not from the external radius server anyway (because I have done packet captures and the external radius box receives no requests). I wasn't aware that there was tcpdump on the ISE itself so I will give this a go to see what it sees. I will let you know how I get on. Thanks

I've done that tcpdump from

stewartgray — Fri, 16 Sep 2016 08:28:24 GMT

I've done that tcpdump from the ISE node and as I'd presumed, the ISE is not forwarding the radius request to the external radius server.

So the question is why is is not even attempting to forward these requests?

I have tried several radius sources to rule out the source of the first radius packet as being the problem.

When you captured from ISE,

Marvin Rhoads — Fri, 16 Sep 2016 15:06:57 GMT

When you captured from ISE, did you specify the PSN as the node from which to capture?

If the PSN isn't sending the requests, I'd recommend a TAC case to have them look at your setup interactively.

I can verify that the feature of external RADIUS servers works. I have used it for several edu deployments that use the eduroam service.

I have also used the radius

stewartgray — Mon, 19 Sep 2016 10:16:36 GMT

I have also used the radius proxy but on earlier versions of ISE. I have raised a TAC case through our provider and are hoping they will be able to get this working for me.

Hi Stewart - Did you ever

Backendsupport — Wed, 01 Mar 2017 14:26:59 GMT

Hi Stewart - Did you ever resolve this issue? I have a similar issue, where the ISE installation matches the rule for external RADIUS sequence, but we never see the traffic towards the external RADIUS servers coming out of any of the ISE boxes.

We also see the "Failure Reason 11353 No more external RADIUS servers; can't perform failover", and we're running 2.0.1 in a 4 node setup (admin, monitor, and 2 PSN)

This is kind of obvious but

sdoherty — Wed, 01 Mar 2017 19:29:38 GMT

This is kind of obvious but when you define radius server sequence do you select the server under *Selected

sdoherty - I can see why you

Backendsupport — Thu, 02 Mar 2017 07:07:07 GMT

sdoherty - I can see why you ask since it could be forgotten, but yes, this is already done.

I have configured ISE as

Om Om — Tue, 06 Jun 2017 14:15:54 GMT

I have configured ISE as radius proxy but it is not working. ISE is proxying radius request to Microsoft MFA. Attached the error. Could anybody help on this.