topic ISE 2.4 not getting radius username in Network Access Control

ISE 2.4 not getting radius username

manvik — Fri, 21 Feb 2020 19:01:41 GMT

Hi,

I am using ISE 2.4, ASA and Network monitor tool.

For user authentication from ASA and NM tool, Radius is used. Issue is ISE not getting username of Radius authentication in the radius logs.

In the radius live log, there is no username in the column, it plainly shows username only. PFA error screenshot.

I have added ASA and NM tool as devices in the ISE and enabled Radius authentication. Any idea why this is happening?

Error:

Event	5405 RADIUS Request dropped
Failure Reason	24616 RADIUS token identity store received timeout error
Resolution	Check that the RADIUS token server is configured correctly. Check that the network connection is working. Try to ping the RADIUS token server to verify that it is available. Check that the RADIUS token server is enabled and running.
Root cause	RADIUS token identity store received timeout error

Re: ISE 2.4 not getting radius username

thomas — Fri, 31 Aug 2018 19:24:30 GMT

Your PingFederate Token Server does not appear to be responding in a timely manner when ISE passes it the token for authentication and therefore the whole RADIUS transaction times out. It should be returning a failure response immediately for USERNAME:TOKEN. This is an entirely separate issue from passing the correct USERNAME to the token server in the first place.

For the <USERNAME> problem, I suggest you compare your ASA RADIUS configuration to one of our guides like ISE Design & Integration Guides > Cisco Adaptive Security Appliance (ASA) > How To Configure Posture with AnyConnect Compliance Module and ISE 2.0

For deeper troubleshooting, I suggest you call TAC.

Re: ISE 2.4 not getting radius username

manvik — Sat, 01 Sep 2018 07:50:05 GMT

Thank You Thomas,
You are right, PingFederate is not responding. We tested it with a working NAC server.
We need to figure our the USERNAME problem still.

Re: ISE 2.4 not getting radius username

hslai — Sat, 01 Sep 2018 17:14:50 GMT

ISE 2.4 is masking username for most of the failed authentications to meet one of Product Security Requirements. We have an existing enhancement request --

CSCvh91118

Re: ISE 2.4 not getting radius username

manvik — Tue, 04 Sep 2018 08:41:28 GMT

Hi Thomas,

We are using pingfederate as external server for radius authentication. Logs in pingfederate we are getting is "Ignoring packet from unknown client". ISE IP is added in pingfederate.

In ISE, pingfederate IP is added as external radius server and a radius server sequence is called in the ISE policy set.