topic Re: Radius timing out to ISE in Network Access Control

Radius timing out to ISE

Madura Malwatte — Mon, 27 Aug 2018 15:53:07 GMT

I am testing RADIUS connectivity to ISE PSN and not seeing any radius packets on the ISE side. This is using the "test aaa" command.

PSN shows state as UP, does this mean the switch checked whether it can connect to the PSN on the radius ports? How does it determine "UP" status?

You can see below, request 48 and timeouts 48. Debugs on the switch show the same thing:

*Aug 27 15:22:01.344: RADIUS(00000000): Sending a IPv4 Radius Packet
*Aug 27 15:22:01.344: RADIUS(00000000): Started 5 sec timeout
*Aug 27 15:22:06.380: RADIUS(00000000): Request timed out!
*Aug 27 15:22:06.380: RADIUS: Retransmit to (10.203.158.13:1812,1813) for id 1645/10

Switch#show aaa servers

RADIUS: id 1, priority 1, host 10.203.158.13, auth-port 1812, acct-port 1813
State: current UP, duration 1125s, previous duration 0s
Dead: total time 1257s, count 3
Quarantined: No
Authen: request 48, timeouts 48, failover 0, retransmission 36
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 12
Throttled: transaction 0, timeout 0, failure 0

I have double checked the config on switch and on ISE. Radius live logs on ISE doesn't show anything. Besides packet capture is there anything else I could check?

Re: Radius timing out to ISE

Rob Ingram — Mon, 27 Aug 2018 16:02:40 GMT

Hi,
Have you defined the switch as a Network Access Device in ISE?

Re: Radius timing out to ISE

Madura Malwatte — Mon, 27 Aug 2018 16:09:17 GMT

Yes I definitely have, and enabled radius authentication settings with shared secret

Re: Radius timing out to ISE

Rob Ingram — Mon, 27 Aug 2018 16:13:03 GMT

If you run tcpdump on ISE do you see the incoming radius request from the switch?

Re: Radius timing out to ISE

paul — Mon, 27 Aug 2018 17:33:46 GMT

Unless you have the RADIUS on the switch configured to do proactive testing:

radius serve <NAME>
address ipv4 <IP> auth-port 1812 acct-port 1813
key 0 <key>
automate-tester username SW-Radius-Test ignore-acct-port idle-time 5

Then the only way the switch will know it is down is for active authentication sessions. If this is a test switch, do you have active authentications happening or just trying your test command? The RADIUS settings determine failure and dead time:

radius-server dead-criteria time 5 tries 3
radius-server deadtime 10

Do you have those properly configured? You can see from "show aaa servers" that the switch did mark it dead.

Dead: total time 1257s, count 3

I am guessing you don't have your deadtime cranked up to 10 minutes like I show above.

Re: Radius timing out to ISE

thomas — Mon, 27 Aug 2018 20:14:10 GMT

If ISE LiveLogs are showing nothing then you have a more fundamental reachability issue.

Can you ping the ISE PSN(s) from the switch using the same IP configured as the RADIUS source IP address?

If ping works, is there still a firewall blocking ports 1812/1813?

If there is no firewall, I suggest calling TAC for deeper troubleshooting.