topic Re: ASA aaa-server to ISE in Network Security

ASA aaa-server to ISE

Madura Malwatte — Fri, 21 Feb 2020 17:02:50 GMT

I am trying to get my ASA added to ISE as a network device, but having issues with the aaa-server config and output.

Here is the config I have:

aaa-server ISE protocol radius
authorize-only
interim-accounting-update
merge-dacl before-avpair
dynamic-authorization

aaa-server ISE (inside) host 10.10.10.2
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa-server ISE (inside) host10.10.10.3
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****

ASA01# show aaa-server ISE
Server Group: ISE
Server Protocol: radius
Server Address: 10.10.10.2
Server port: 1812(authentication), 1813(accounting)
Server status: FAILED, Server disabled at 04:20:23 UTC Tue Apr 9 2019
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 39
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 39
Number of unrecognized responses 0

Server Group: ISE
Server Protocol: radius
Server Address:10.10.10.3
Server port: 1812(authentication), 1813(accounting)
Server status: ACTIVE, Last transaction at 04:19:42 UTC Tue Apr 9 2019
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 37
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 37
Number of unrecognized responses 0

Weird thing is one say active the other failed. Both seems to have failed though. And the authentication requests don't increment at all, its been stuck at that value for a while. Last transaction was over a week ago. Do I need to configure the timeout value to get the requests going again? And why would it say active but last transaction is from Apr 9 and no requests incrementing?

Re: ASA aaa-server to ISE

Seb Rupik — Tue, 16 Apr 2019 06:43:10 GMT

Hi there,

Please can you share your AAA method configuration from the ASA:

sh run | inc aaa

cheers,

Seb.

Re: ASA aaa-server to ISE

Madura Malwatte — Tue, 16 Apr 2019 07:22:02 GMT

Sure here it is:

ASA01# show run | inc aaa
aaa-server Other protocol tacacs+
aaa-server Other (management) host 10.11.1.1
aaa-server Other (management) host 10.11.1.2
aaa-server ISE protocol radius
aaa-server ISE (inside) host 10.10.10.2
aaa-server ISE (inside) host 10.10.10.3
aaa authentication ssh console Other LOCAL
aaa authentication enable console Other LOCAL
aaa authentication http console Other LOCAL
authentication aaa certificate

Re: ASA aaa-server to ISE

Seb Rupik — Tue, 16 Apr 2019 08:34:25 GMT

You are not listing the ISE server group in any of your AAA methods.

What are you planing on using ISE for? VPN authentication?

cheers,

Seb.

Re: ASA aaa-server to ISE

Madura Malwatte — Tue, 16 Apr 2019 12:11:10 GMT

Yes, its going to be used for VPN authentication and posture.

These documents do not mention anything about having ISE server group in AAA methods:

ASA Version 9.2.1 VPN Posture with ISE Configuration Example

How To: ISE and ASA Integration using CoA for Posture

Which document should I be using for configuring the ASA for deployment with ISE?

Re: ASA aaa-server to ISE

Seb Rupik — Tue, 16 Apr 2019 12:47:20 GMT

That's correct. That's why i asked in absence of the AAA methods what you were planning using ISE for.

Can you share the relevant VPN configuration that you have made?

Re: ASA aaa-server to ISE

Madura Malwatte — Tue, 16 Apr 2019 12:59:16 GMT

I haven't done the VPN config yet. I was assuming that when you configure the ISE as aaa-server the ASA will start sending the radius packets to it? As I have added the ASA as network device into ISE, but can't tell if it is sending the radius packets yet? Hence the output of show aaa-servers is quite unclear. I mean I can do a packet capture on ISE, but wanted to know if we should at least see the ASA sending some requests in the show aaa-servers output.

Re: ASA aaa-server to ISE

Madura Malwatte — Wed, 17 Apr 2019 00:00:56 GMT

Hi @Seb Rupik were you able to take a look at what I can try to get this working?

Re: ASA aaa-server to ISE

Rahul Govindan — Wed, 17 Apr 2019 11:53:35 GMT

This assumption is incorrect. What you have done is only define the AAA-server. You would need to either do a "test aaa authentication" or actually configure this aaa-server as AAA authentication server under the tunnel-group. When a VPN user authenticates, the request is then sent to the ISE.

Re: ASA aaa-server to ISE

Madura Malwatte — Wed, 17 Apr 2019 14:41:08 GMT

Hi Rahul, I meant to say radius packets as in some probes. But I understand now to do that we have to use the test aaa command. So comes back to my the show output I shared where one ISE server is marked as "FAILED" while the other is "ACTIVE", how does ASA determine these states? For the active server last transaction was April 9th. And the failed server shows "Server disabled"...