topic Re: ISE error messages in Network Access Control

ISE error messages

nimmi.phasil — Wed, 22 Jun 2016 11:30:45 GMT

Hi ,

I am authenticating Fortinet with ISE . While ISE successfully authenticates fortinet ,the authentication reply is not reaching Fortinet firewall.

The firewall can ping ISE.

Following is the tcpdump messages. 210.18.5.70 is the fortinet firewall.

210.18.5.70.sify.net.blackjack > ISE.radius: RADIUS, length: 101

Access Request (1), id: 0x5b, Authenticator: 2edd47c7cb141a1488ece685ed655f6e

NAS ID Attribute (32), length: 18, Value: FGT60C3G11032050

Username Attribute (1), length: 10, Value: fortinet

Password Attribute (2), length: 18, Value:

Accounting Session ID Attribute (44), length: 10, Value: 2c4fc294

Connect Info Attribute (77), length: 13, Value: admin-login

Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (12356)

Vendor Attribute: 3, Length: 4, Value: root

ISE.radius > 210.18.5.70.sify.net.blackjack: RADIUS, length: 218

Access Accept (2), id: 0x5b, Authenticator: 205dabbc626b00d9b8d58e3a7a9e5bc5

Username Attribute (1), length: 10, Value: fortinet

Service Type Attribute (6), length: 6, Value: Login

State Attribute (24), length: 67, Value: ReauthSession:ac1f01092H_GB3Ax4qI/2pYtcAtlpw9f1j3REGu8rBwJbaJ_8Xs

Class Attribute (25), length: 78, Value: CACS:ac1f01092H_GB3Ax4qI/2pYtcAtlpw9f1j3REGu8rBwJbaJ_8Xs:ISE/253643487/93219

Vendor Specific Attribute (26), length: 18, Value: Vendor: Unknown (12356)

Vendor Attribute: 1, Length: 10, Value: test-group

Vendor Specific Attribute (26), length: 19, Value: Vendor: Unknown (12356)

Vendor Attribute: 6, Length: 11, Value: super_admin

09:45:49.178300 IP (tos 0x0, ttl 252, id 1838, offset 0, flags [none], proto ICMP (1), length 56)

segment-119-227.sify.net > ISE: ICMP host 210.18.5.70.sify.net unreachable - admin prohibited filter, length 36

ISE.radius > 210.18.5.70.sify.net.blackjack: [|radius]

Regards

Nimmi

Re: ISE error messages

thomas — Wed, 22 Jun 2016 15:02:28 GMT

Nimmi,

You said the firewall can ping ISE but the RADIUS response is still failing. This sounds like a firewall configuration problem.

Please see our Cisco ISE Ports Reference for the various ports that must be opened in the ISE architecture for different features/capabilities.

For RADIUS between ISE and your network access devices (assuming you do not change from the default ports) you will need to open:

RADIUS Authentication: UDP/1645, 1812
RADIUS Accounting: UDP/1646, 1813
RADIUS Change of Authorization (CoA) Send: UDP/1700
RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799

Note: UDP port 3799 is not configurable.

If you continue to have firewall/connectivity problems, you will need to call the TAC.

Re: ISE error messages

nimmi.phasil — Thu, 23 Jun 2016 05:00:02 GMT

Hi Thomas,

The same ISE is doing radius authentication/authorization with other vendors like HP , Cisco .

Also , the authentication is successful in the ISE server. The problem is the response message is not reaching fortinet firewall.

Regards

Nimmi MP

Re: ISE error messages

nimmi.phasil — Thu, 23 Jun 2016 09:59:00 GMT

Hi,

This works with a different device. There is something filtering the message from reaching Fortinet.

Thanks for the support.

Regards

Nimmi MP

Re: ISE error messages

vibobrov — Thu, 23 Jun 2016 19:30:46 GMT

The response from ISE is being blocked by this device: segment-119-227.sify.net.