topic Re: RADIUS over VRF in Network Access Control

RADIUS over VRF

Darkmatter — Fri, 19 Jun 2020 10:49:51 GMT

Seems like i got something wrong, only i cannot find what's going sideways.

I can ping my ISE RADIUS servers in the default Mgmt-vrf but still, authentication requests are not reaching ISE.

Strangely enough i can ping these RADIUS servers within the default Mgmt-vrf, but when look at the "show AAA servers" believing there seems to be something not ok because of the DEAD, i have no clue what this Platform State from SMD means.

In addition, "test aaa group radius server 192.168.255.49 auth-port 1812 acct-port 1813 test-user test legacy" throws an "access reject" response on the console, from which i would conclude that all is working fine, but checking the RADIUS live logs in ISE i don't see any failed authentication.

If i test with "test aaa group radius server 192.168.255.49 auth-port 1812 acct-port 1813 test-user test new-code", it again throws an "access reject" response on the console, and now RADIUS live logs in ISE display the failed authentication!

TCP dump on ISE during the legacy test doesn't show any RADIUS packets, during new-code test, RADIUS packets are visible.

Hope someone can help me troubleshoot en eventually solve this issue.

Thanks!

Re: RADIUS over VRF

Mike.Cifelli — Fri, 19 Jun 2020 12:40:34 GMT

You have the ability to configure per vrf AAA server groups. Make sure that whichever server group you reference in your AAA commands has the specified vrf fowarding under the server group. To me your situation sounds like you may be missing this, and your NAD is using a global config which is how you are sourcing from mgmt-vrf. Then make sure in the vrf you wish to use that you have routes back to ISE.
Brief example:
aaa group server radius ISE_Group
server name abcd1
server name abcd2
ip vrf forwarding VRF1
ip radius source-interface Loopback0
....
radius server abcd1
address ipv4 xxxx auth-port 1812 acct-port 1813
timeout 2
retransmit 1
....
radius server abcd2
address ipv4 xxxx auth-port 1812 acct-port 1813
timeout 2
retransmit 1

Good luck & HTH!

Re: RADIUS over VRF

Darkmatter — Fri, 19 Jun 2020 22:22:35 GMT

Thanks for the suggestion but I gave multiple info that connectivity inside the VRF is fine, i read the Cisco docs on AAA per VRF, so i don't think that's the issue.

Moreover i have the exact same config you posted with the only difference that my source interface is Gi0/0 - which is a management interface on the switch and in the same VRF ofcourse - it's a Catalyst 3850

Again, "test aaa group radius server 192.168.255.49 auth-port 1812 acct-port 1813 test-user test legacy" throws an "access reject" response on the console which is the expected behaviour, from which i would conclude that all is working fine, but checking the RADIUS live logs in ISE i don't see any failed authentication.

Re: RADIUS over VRF

Louis Gonzales — Thu, 10 Jun 2021 17:09:55 GMT

Not sure if you ever got your answer but in our environment I found that I needed the following command in the global configuration to get Radius over VRF to work.

ip radius source-interface GigabitEthernet0/0 vrf Mgmt-vrf