https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5142466#M590508 <P>Have you tried performing a manual sync up of&nbsp;<SPAN>ISE01?&nbsp; We have to rely on every node getting the same programming from the PAN - I have seen it once where I was configuring in the GUI, but one of the PSN's wasn't getting the changes I was making - I had to manually sync the node.</SPAN></P> <P><SPAN>If that doesn't work, then it would check your ISE RADIUS Policy Set - are the hit counters increasing?&nbsp; If not, then the Meraki is possibly not sending the request to that ISE - you can prove that ultimately by running a tcpdump on ISE01 while running that test from Meraki switch.</SPAN></P> Wed, 10 Jul 2024 04:23:32 GMT Arne Bier 2024-07-10T04:23:32Z https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5136784#M590276 <P>&nbsp;</P> <P>Hi there,<BR />I have encountered the following problem.<BR />ISE small network deployment with two VMs each Pri/Sec (PAN,MnT,PSN) on Proxmox virtualisation.<BR />Authenticators are Meraki Wired/Wireless configured with the Dashboard.<BR />A test for a radius access request sent from the Meraki Dashboard (Switching - Access Policies) to both ISE PSN gets a response from ISE02 (Pri) but not from ISE01 (Sec).<BR />The same test for a Radius Access request sent from the Meraki Dashboard (Wireless - Access Policies) to both ISE PSN is getting a response from both PSN (Pri/Sec).<BR />There is no firewall or routing in place and both ISE nodes are reachable via ping.<BR />A pcap on the Core SW shows that the EAP packets are being sent to the VMs.<BR />A pcap on the Proxmox VMs interface shows that the EAP packet for the radius access request is reaching the dedicated node, but it is not being answered when sent from the switching access policy.</P> Thu, 27 Jun 2024 07:45:00 GMT https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5136784#M590276 alex.f. 2024-06-27T07:45:00Z https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5137070#M590293 <P>If certain RADIUS requests work (wireless) and others do not (wired) to your secondary PSN, are you seeing any Access-Rejects in the ISE LiveLogs from the switching requests to the 2nd node? If so, what is the reason?</P> <P>Turn off all RADIUS Suppression to ensure you are seeing all RADIUS Failed attempts:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/221805i70BDDF414EFF2E11/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Thu, 27 Jun 2024 15:00:21 GMT https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5137070#M590293 thomas 2024-06-27T15:00:21Z https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5137239#M590302 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/909893">@alex.f.</a>&nbsp;- are you able to issue a ping from the Switch Dashboard "Tools tab" (ping from .13 to .122) ?</P> <P>If ping succeeds, then the next thing I would check is whether the Switch (.13 address) is defined in ISE&nbsp;</P> Thu, 27 Jun 2024 21:06:38 GMT https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5137239#M590302 Arne Bier 2024-06-27T21:06:38Z https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5142210#M590499 <P>Yes, ping from the Meraki Dashboard is done successfully and the Switches are Network Devices in ISE.</P> <P>But all Switches in one Network Devices Object. </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bildschirmfoto 2024-07-09 um 16.56.09.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/222865iEE729F2F4458E482/image-size/medium?v=v2&amp;px=400" role="button" title="Bildschirmfoto 2024-07-09 um 16.56.09.png" alt="Bildschirmfoto 2024-07-09 um 16.56.09.png" /></span></P> <P> </P> Tue, 09 Jul 2024 14:58:38 GMT https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5142210#M590499 alex.f. 2024-07-09T14:58:38Z https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5142466#M590508 <P>Have you tried performing a manual sync up of&nbsp;<SPAN>ISE01?&nbsp; We have to rely on every node getting the same programming from the PAN - I have seen it once where I was configuring in the GUI, but one of the PSN's wasn't getting the changes I was making - I had to manually sync the node.</SPAN></P> <P><SPAN>If that doesn't work, then it would check your ISE RADIUS Policy Set - are the hit counters increasing?&nbsp; If not, then the Meraki is possibly not sending the request to that ISE - you can prove that ultimately by running a tcpdump on ISE01 while running that test from Meraki switch.</SPAN></P> Wed, 10 Jul 2024 04:23:32 GMT https://community.cisco.com/t5/network-access-control/ise-radius-access-request-will-not-be-challenged/m-p/5142466#M590508 Arne Bier 2024-07-10T04:23:32Z