topic Radius authentication with ISE - wrong IP address in Network Access Control

Radius authentication with ISE - wrong IP address

__Beth__ — Mon, 11 Mar 2019 04:54:24 GMT

Hello,

We are using ISE for radius authentication. I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE. Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243. I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243. There is another switch stack at that location (same model, IOS etc), that works properly.

The radius config on the switch:

aaa new-model
!
!
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated

ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
key 7 abcdefg

The log from ISE:

Overview
Event 5405 RADIUS Request dropped
Username
Endpoint Id
Endpoint Profile
Authorization Profile

Authentication Details
Source Timestamp 2014-07-30 08:48:51.923
Received Timestamp 2014-07-30 08:48:51.923
Policy Server ise
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method
Authentication Protocol
Service Type
Network Device
Device Type
Location
NAS IP Address 10.xxx.aaa.243
NAS Port Id tty2
NAS Port Type Virtual
Authorization Profile
Posture Status
Security Group
Response Time

Other Attributes
ConfigVersionId 107
Device Port 1645
DestinationPort 1812
Protocol Radius
NAS-Port 2
AcsSessionID ise1/186896437/1172639
Device IP Address 10.xxx.aaa.243
CiscoAVPair

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5405

As a test, I setup a device using the .243 address. While ISE claims it authenticates, it really doesn't. I have to use my local account to access the device.

Any advice on how to resolve this issue would be appreciated. Please let me know if more information is needed.

Here is the debug from the

__Beth__ — Wed, 30 Jul 2014 17:04:16 GMT

Here is the debug from the switch. It shows the correct IP.

Jul 29 19:10:18.346: RADIUS/ENCODE(00000280): ask "Password: "
Jul 29 19:10:18.346: RADIUS/ENCODE(00000280): send packet; GET_PASSWORD
Jul 29 19:10:21.568: RADIUS/ENCODE(00000280):Orig. component type = Exec
Jul 29 19:10:21.568: RADIUS: AAA Unsupported Attr: interface         [221] 4   130327720
Jul 29 19:10:21.568: RADIUS/ENCODE(00000280): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jul 29 19:10:21.568: RADIUS(00000280): Config NAS IP: 10.xxx.aaa.241
Jul 29 19:10:21.568: RADIUS(00000280): Config NAS IPv6: ::
Jul 29 19:10:21.572: RADIUS/ENCODE(00000280): acct_session_id: 630
Jul 29 19:10:21.572: RADIUS(00000280): sending
Jul 29 19:10:21.572: RADIUS(00000280): Sending a IPv4 Radius Packet
Jul 29 19:10:21.572: RADIUS(00000280): Send Access-Request to 10.xxx..yyy.zzz:1812 id 1645/63,len 73
Jul 29 19:10:21.572: RADIUS: authenticator C8 AE FE 18 6E 2E 9E 5E - 07 A8 E9 D6 2A 40 41 B6
Jul 29 19:10:21.572: RADIUS: User-Name           [1]   11 "username"
Jul 29 19:10:21.572: RADIUS: User-Password       [2]   18 *
Jul 29 19:10:21.572: RADIUS: NAS-Port            [5]   6   2
Jul 29 19:10:21.572: RADIUS: NAS-Port-Id         [87] 6   "tty2"
Jul 29 19:10:21.572: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Jul 29 19:10:21.572: RADIUS: NAS-IP-Address      [4]   6   10.xxx.aaa.241
Jul 29 19:10:21.572: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:10:26.609: RADIUS(00000280): Request timed out!
Jul 29 19:10:26.609: RADIUS: Retransmit to (10.xxx..yyy.zzz:1812,1813) for id 1645/63
Jul 29 19:10:26.609: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:10:31.628: RADIUS(00000280): Request timed out!
Jul 29 12:10:31: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.yyy.zzz:1812,1813 is n
ot responding.
Jul 29 12:10:31: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx..yyy.zzz:1812,1813 is being marked alive.
Jul 29 19:10:31.628: RADIUS: Retransmit to (10.xxx..yyy.zzz:1812,1813) for id 1645/63
Jul 29 19:10:31.628: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:10:36.683: RADIUS(00000280): Request timed out!
Jul 29 19:10:36.683: RADIUS: Retransmit to (10.xxx..yyy.zzz:1812,1813) for id 1645/63
Jul 29 19:10:36.683: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:10:41.730: RADIUS(00000280): Request timed out!
Jul 29 19:10:41.730: RADIUS: No response from (10.xxx..yyy.zzz:1812,1813) for id 1645/63
Jul 29 19:10:41.730: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jul 29 19:10:41.730: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Jul 29 19:10:43.750: RADIUS/ENCODE(00000280): ask "Password: "
Jul 29 19:10:43.750: RADIUS/ENCODE(00000280): send packet; GET_PASSWORD
Jul 29 19:10:56.334: RADIUS/ENCODE(00000280):Orig. component type = Exec
Jul 29 19:10:56.334: RADIUS: AAA Unsupported Attr: interface         [221] 4   130327720
Jul 29 19:10:56.334: RADIUS/ENCODE(00000280): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jul 29 19:10:56.334: RADIUS(00000280): Config NAS IP: 10.xxx.aaa.241
Jul 29 19:10:56.334: RADIUS(00000280): Config NAS IPv6: ::
Jul 29 19:10:56.334: RADIUS/ENCODE(00000280): acct_session_id: 630
Jul 29 19:10:56.334: RADIUS(00000280): sending
Jul 29 19:10:56.334: RADIUS(00000280): Sending a IPv4 Radius Packet
Jul 29 19:10:56.334: RADIUS(00000280): Send Access-Request to 10.xxx..yyy.zzz:1812 id 1645/64,len 73
Jul 29 19:10:56.334: RADIUS: authenticator 40 8D 12 B8 9B 21 41 F6 - 71 90 77 A6 C0 45 AE C1
Jul 29 19:10:56.334: RADIUS: User-Name           [1]   11 "username"
Jul 29 19:10:56.334: RADIUS: User-Password       [2]   18 *
Jul 29 19:10:56.334: RADIUS: NAS-Port            [5]   6   2
Jul 29 19:10:56.334: RADIUS: NAS-Port-Id         [87] 6   "tty2"
Jul 29 19:10:56.334: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Jul 29 19:10:56.337: RADIUS: NAS-IP-Address      [4]   6   10.xxx.aaa.241
Jul 29 19:10:56.337: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:11:01.374: RADIUS(00000280): Request timed out!
Jul 29 19:11:01.374: RADIUS: Retransmit to (10.xxx..yyy.zzz:1812,1813) for id 1645/64
Jul 29 19:11:01.374: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:11:06.415: RADIUS(00000280): Request timed out!
Jul 29 19:11:06.415: RADIUS: Retransmit to (10.xxx..yyy.zzz:1812,1813) for id 1645/64
Jul 29 19:11:06.415: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:11:11.469: RADIUS(00000280): Request timed out!
Jul 29 19:11:11.469: RADIUS: Retransmit to (10.xxx..yyy.zzz:1812,1813) for id 1645/64
Jul 29 19:11:11.469: RADIUS(00000280): Started 5 sec timeout
Jul 29 19:11:16.513: RADIUS(00000280): Request timed out!
Jul 29 19:11:16.513: RADIUS: No response from (10.xxx..yyy.zzz:1812,1813) for id 1645/64
Jul 29 19:11:16.513: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jul 29 19:11:16.513: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Jul 29 19:11:16.537: RADIUS/ENCODE(00000280): author with failed authen
Jul 29 19:11:16.537: RADIUS/ENCODE(00000280): send packet; BEGIN

can you issue , " radius

Saurav Lodh — Fri, 01 Aug 2014 07:10:32 GMT

can you issue , " radius-server attribute 6 on-for-login-auth " to switch in config mode?

Symptoms or IssueCisco ISE is

mohanak — Mon, 04 Aug 2014 10:37:21 GMT

Symptoms or Issue	Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions	Click the magnifying glass icon in Authentications to display the steps in the Authentication Report. The logs display the following error message: •11007 Could not locate Network Device or AAA Client Resolution
Possible Causes	The administrator did not correctly configure the network access device (NAD) type in Cisco ISE.
Resolution	Add the NAD in Cisco ISE again, verifying the NAD type and settings.

Thank you Salodh, I added

__Beth__ — Mon, 04 Aug 2014 14:26:03 GMT

Thank you Salodh, I added radius-server attribute 6 on-for-login-auth to the config and unfortunately, it did not resolve the problem.

Monanak, thank you for your reply. The device is built properly in ISE. The problem seems that when the request comes into ISE, it's using the wrong IP address. The device IP address last octet ends in .241; however, ISE is seeing it come in as .243. As a test, I build a device in ISE with .243 and while ISE thinks it is authenticating, the switch will not allow me in with my radius credentials.

I have attached a screen shot that shows my attempts. The bottom four attempts are where it's using my test config for a .243 device. The top attempts were after I removed the test device. I hope this helps clarify the issue.

Thank you. 🙂

Well from the debug I would

embowers1 — Mon, 04 Aug 2014 20:41:23 GMT

Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.

radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.

What interface should your switch be sending the radius request?

ip radius source-interface VlanXXX vrf default

Here is what my debug looks like when it is working correctly.

Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
Aug 4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
Aug 4 15:58:47 EST: RADIUS(00000265): sending
Aug 4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
Aug 4 15:58:47 EST: RADIUS: authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: Reply-Message       [18] 12
Aug 4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 15:58:47 EST: RADIUS: User-Password       [2]   18 *
Aug 4 15:58:47 EST: RADIUS: NAS-Port            [5]   6   3
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Id         [87] 6   "tty3"
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 15:58:47 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 15:58:47 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 15:58:47 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
Aug 4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
Aug 4 15:58:47 EST: RADIUS: authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: State               [24] 40
Aug 4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Aug 4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33 [0cfe230001F70753]
Aug 4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
Aug 4 15:58:47 EST: RADIUS: Class               [25] 58
Aug 4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30 [CACS:0a0cfe23000]
Aug 4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52 [1F70753DFE5F7:PR]
Aug 4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39 [YISE002/19379469]
Aug 4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
Aug 4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110

---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.

Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
Aug 4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
Aug 4 16:05:19 EST: RADIUS(00000268): sending
Aug 4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
Aug 4 16:05:19 EST: RADIUS: authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
Aug 4 16:05:19 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 16:05:19 EST: RADIUS: Reply-Message       [18] 12
Aug 4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 16:05:19 EST: RADIUS: User-Password       [2]   18 *
Aug 4 16:05:19 EST: RADIUS: NAS-Port            [5]   6   7
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Id         [87] 6   "tty7"
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 16:05:19 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 16:05:19 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 16:05:19 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:23 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:29 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:33 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:38 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:43 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:48 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:53 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:57 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL

This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..

aaa authentication login vty group radius local enable

aaa authentication login con group radius local enable

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting system default start-stop group radius

ip radius source-interface VlanXXX vrf default

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********

radius-server vsa send accounting

radius-server vsa send authentication

You can use this in the switch to test radius

test aaa group radius server 10.xxx.xxx.xxx <username> <password>

Thank you embowers! We are

__Beth__ — Thu, 07 Aug 2014 20:58:25 GMT

Thank you embowers! We are making progress! I am not quite sure what did it, but I am now able to authenticate with radius. The only issue is that it fails the first four times and then it works. (All in one session, I don't actually have to reenter my username and password). Here is a piece of the debug:

Aug 7 18:33:41.683: RADIUS: Retransmit to (10.xxx.yyy.zzz:1812,1813) for id 1645/97
Aug 7 18:33:41.683: RADIUS(000004B6): Started 5 sec timeout
Aug 7 18:33:41.718: RADIUS: Received from id 1645/97 10.xxx.yyy.zzz:1812, Access-Reject, len 20
Aug 7 18:33:41.718: RADIUS: authenticator xxx
Aug 7 18:33:41.718: RADIUS: response-authenticator decrypt fail, pak len 20
Aug 7 18:33:41.718: RADIUS: packet dump: xxx
Aug 7 18:33:41.718: RADIUS: expected digest: xxx
Aug 7 18:33:41.721: RADIUS: response authen: xxx
Aug 7 18:33:41.721: RADIUS: request authen: xxx
Aug 7 18:33:41.721: RADIUS: Response (97) failed decrypt
Aug 7 18:33:46.733: RADIUS(000004B6): Request timed out!
Aug 7 18:33:46.733: RADIUS: Retransmit to (10.xxx.yyy.zzz:1812,1813) for id 1645/97

Also, thank you for the tip on how to test it from the switch! I will save that one for future use!

Beth, For this issue I

embowers1 — Fri, 08 Aug 2014 12:14:51 GMT

Beth,

For this issue I would like to know what type of switch that debug came from and the Version of IOS. What is concerning is the decrypt failure. I will throw a guess that it is a 15.x image?

Hi Embowers, Thank you for

__Beth__ — Fri, 08 Aug 2014 14:00:15 GMT

Hi Embowers, Thank you for the reply. It's Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE SOFTWARE (fc1)

BethRemove your (radius

embowers1 — Fri, 08 Aug 2014 14:17:43 GMT

Beth

Remove your (radius-server host 10.x.x.x ...ect) line(s) and try this command and see if the problem goes away. The new portion is the phrase non-standard lets see if that helps.

radius-server host 10.xxx.xxx.xxx auth-port 1645 acct-port 1646 non-standard key ******

Thank you! I had used the

__Beth__ — Fri, 08 Aug 2014 15:14:17 GMT

Thank you! I had used the newer radius server command as this one will be deprecated soon. Apparently that was the problem, because since I used your suggestion, radius is working as it should. I really do appreciate you help. Have a great weekend!

Re: Thank you! I had used the

smace — Thu, 04 Jan 2018 20:34:43 GMT

So, this thread is 3 1/2 years old now, but I found a more correct solution to the problem you were having. I was having it as well. I changed the IP address of a RADIUS client and could no longer authenticate. What I ended up doing was taking a packet capture from my RADIUS server (Windows NPS) and found that the source IP of the PACKET, not the NAS-ID, was the old IP address. I removed and readded the ip radius source-interface Vlan x command and that did the trick without having to reconfigure the RADIUS server parameters or move from the new radius config to the deprecated config. Hope this helps someone else with the same problem.