topic Re: ISE 2.6 - Radius requests on a different interface in Network Access Control

ISE 2.6 - Radius requests on a different interface

tsuthar — Sun, 21 Aug 2022 14:52:22 GMT

Hello I am using ISE 2.6 in a VM setup. I have two interfaces:

G0: Meant to be for management purpose to login to the UI

G2: Exposed to the network where Radius AAA requests incoming. Its a requirement to use this G2 interface only and not respond to the Radius AAA requests on G0. The G2 interface was added afterwards and I put a static route pointing to the G2 GW for the NADs IP subnet where the auth requests are generated from. So IP reachability is there but we discovered that interface G2 is not responding to the Radius requests. How do we make it to work (besides fixing the IP route for return packets which I already did)?

Thanks

Re: ISE 2.6 - Radius requests on a different interface

Rob Ingram — Sun, 21 Aug 2022 15:10:25 GMT

@tsuthar ISE listens for RADIUS requests on all interfaces as default.

I assume you can ping the G2 IP address from the NADs?

The RADIUS server configuration on the NADs points to the G2 IP address?

If you run "show aaa server" is the RADIUS server UP?

Re: ISE 2.6 - Radius requests on a different interface

tsuthar — Sun, 21 Aug 2022 15:19:11 GMT

@Rob Ingram Yes the G2 IP is reachable by the NADs. And the AAA configuration is done to point to the G2 IP. We ran traces and the AAA requests are sent from the NADs but there is no response coming back. To test and isolate the issue - I put freerad (in the same subnet as the ISE VM) as an alternative and it is able to authenticate/authorize without any problem. So that tells me somehow ISE is not responding to the AAA requests. Looks like some configuration needs to happen which I am trying to figure out.

Appreciate any help.

Re: ISE 2.6 - Radius requests on a different interface

Rob Ingram — Sun, 21 Aug 2022 15:25:42 GMT

@tsuthar ok so you can ping the G2 interface, but does the NAD confirm the NAD is UP - "show aaa server"?

Run tcpdump on ISE to confirm the packets reach ISE.

I assume you've defined the NADs in ISE with the correct shared secret? If not there will be no logs.

Re: ISE 2.6 - Radius requests on a different interface

tsuthar — Sun, 21 Aug 2022 15:38:12 GMT

Yes all those basic config is not an issue. Just to add to what tests we ran another test here: I moved one of the NADs to a different network which can reach the G0 interface (even though its not allowed by policy but for testing purpose I managed to do it). I changed the NAD AAA config to point to the G0 IP , the AAA is working just fine. So that tells me G2 is not able to serve the AAA requests.

Re: ISE 2.6 - Radius requests on a different interface

Rob Ingram — Sun, 21 Aug 2022 15:50:43 GMT

@tsuthar well ISE listens for RADIUS on all interfaces, perhaps there is a bug for your patch version of ISE, have you checked?

Did you confirm whether ISE receives the RADIUS requests destined to the G2 IP address by using tcpdump?

Re: ISE 2.6 - Radius requests on a different interface

tsuthar — Sun, 21 Aug 2022 16:28:03 GMT

Yes Rob. I see the radius requests coming in. See attached a snapshot.

You've mentioned about a possible bug - I have this patch applied: ise-patchbundle-2.6.0.156-Patch10-21081000.SPA.x86_64.tar.gz

Here is the livelog:

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11007	Could not locate Network Device or AAA Client
	5405	RADIUS Request dropped

If it's sending the response on G0 - obviously the NAD won't be reachable.

Re: ISE 2.6 - Radius requests on a different interface

Rob Ingram — Sun, 21 Aug 2022 16:58:48 GMT

@tsuthar this message "Could not locate Network Device or AAA Client" sticks out.....

Conditions Click the magnifying glass icon in Authentications to display the steps in the Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes The administrator did not correctly configure the network access device (NAD) type in Cisco ISE.
Resolution Add the NAD in Cisco ISE again, verifying the NAD type and settings.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.pdf

Are you saying the packet capture confirms it's coming from the incorrect interface IP?

Re: ISE 2.6 - Radius requests on a different interface

tsuthar — Mon, 22 Aug 2022 13:17:04 GMT

Sorry Rob - was outside yesterday.

If its a NAD issue that it should not work on when using the G0 interface. I tried re-adding the NAD type and attributes but no luck.

To your earlier question - the tcpdump shows the incoming request to the ISE on the G2 interface (correct interface) but nothing going back or no response going out on G2.

Re: ISE 2.6 - Radius requests on a different interface

MHM Cisco World — Mon, 22 Aug 2022 13:25:41 GMT

from NAD can you ping G2.
how you connect both Interface to SW ?

Re: ISE 2.6 - Radius requests on a different interface

tsuthar — Mon, 22 Aug 2022 13:34:05 GMT

Yes, I am able to ping the G2 interface (stated earlier too) from the NAD as well as the Client. G0 is on a different network for VM-NET-MGMT (for management purpose only i.e. for users to login to ISE etc..). The G2 is on a different Network that connects into the DC Switch where the Client + NAD auth requests come in. Hope this clarifies my setup.

Re: ISE 2.6 - Radius requests on a different interface

MHM Cisco World — Mon, 22 Aug 2022 13:39:01 GMT

able to ping G2 using the NAD IP add in ISE ?
use
ping G2 source NAD IP <as you enter in ISE>

Re: ISE 2.6 - Radius requests on a different interface

tsuthar — Mon, 22 Aug 2022 14:06:14 GMT

@MHM Cisco World Thanks - that was the issue. When I flipped back and forth I didn't change the IP of the NAD in the ISE. Once I corrected auth started working. Thanks for the pointer.

Re: ISE 2.6 - Radius requests on a different interface

MHM Cisco World — Mon, 22 Aug 2022 14:17:05 GMT

You are so so welcome