topic Re: Device Authentication Issue in Network Access Control

Device Authentication Issue

mpbaker82 — Thu, 31 Jan 2019 15:01:50 GMT

I use ISE in a distributive deployment.

The NAD in question is configured with two radius server IP's. (Radius 1 (local PSN) > Radius 2 (Backup PAN))

I can reach both my local psn and remote pan ise nodes from this nad. (i can ping both ISE nodes with no problem)

I can even authenticate with the nad device. The live radius logs show the device authentication successfully. My issue is that its authenticating with the wrong policy server. The authentication request is sent to the remote policy server (backup) and not using the local policy server.

i would expect the authentication request to use the local policy server and not the remote policy server.

ideas?

Re: Device Authentication Issue

Mark Elsen — Thu, 31 Jan 2019 16:08:26 GMT

- Depends on the configuration of the NAD , check the how the PSN's are configured and the priority-order.

Re: Device Authentication Issue

Damien Miller — Thu, 31 Jan 2019 17:03:44 GMT

This can vayr a bit based on the configuration used in your environment. An example of how this works follows.

You will have two radius servers configured on the NAD. The order these two pieces appear is does not matter.
!!!Define radius server 1
radius server ISE-East
address ipv4 10.100.100.100 auth-port 1812 acct-port 1813
key xxxxx
!
!!!Define raidus server 2
radius server ISE-West
address ipv4 10.200.200.200 auth-port 1812 acct-port 1813
key xxxxx
!

You then should have your radius servers defined as a group. The order that the radius server names above appear in this group defines the order that they are used. In this case, ISE-West will be used first, ISE-East second (when there is an issue with first).
!
aaa group server radius <your_group_name>
server name ISE-West
server name ISE-East
!

Some alternate configs exist where the NAD can do load balancing across radius server nodes. If you scrub a config and share it we can confirm for you if this is the case, or at least why you are seeing the behavior you are.

Re: Device Authentication Issue

mpbaker82 — Thu, 31 Jan 2019 18:04:07 GMT

when we use server groups thats how we set it up. but this device uses radius-server host

AAA Configuration

radius-server host 10.100.100.100 (local ise node)
radius-server host 10.200.200.200 (remote ise node)

aaa authentication login default radius local

radius-server key 7 <key here>

its for soem reason skipping the 10.100.100.100 and going right too 10.200.200.200 which doesnt make any sense when i can ping 10.100.100.100. I know the device can reach the local ise node

Re: Device Authentication Issue

Damien Miller — Thu, 31 Jan 2019 22:20:14 GMT

I was going to play with this in my lab but I didn't have a switch on a version of software that supported the old radius-server host config. It took me a while but I found an old 2960 in my closet and played with it a bit.

I found that the aaa server priority it set based on which server is configured first, sh aaa servers. The servers go in to the running config in the order I configure them on my test switch and they persist this way through reloads. I was able to flip the order removing priority one from the running/startup config, then entering it in to the config again.