cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

868
Views
10
Helpful
10
Replies
Beginner

ISE 2.4 and Radius on Ciena Optical Platforms

Hi All,

I am having difficulty getting radius authentication to work with our Ciena 6500 optical chassis.  Trying to do Radius with PAP.  I have policy sets defined with TACACs and Radius.  Tacacs works fine.  I have a single policy that is suppossed to match network access protocol radius and from their authorize based on user and group, however I can't seem to get any hits on the policy.  The radius live logs indicate it is hitting default which doesn't permit PAP.  However the hit counters don't increment for the default catch all rule either at the bottom so I am not sure what I am hitting.  If I can get the requests to hit the policy I created I think I should be good.  The only condition for the policy is Network Access Protocol Radius.  Is there something else I need to do to make this work?  Or is there something else I may need to consider given they are not Cisco devices?

 

We currently have the Ciena devices successfully doing Radius Auth via Windows Network Policy Server without issue.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ISE 2.4 and Radius on Ciena Optical Platforms

Hi,

You have configured Radius related policies under device admin policy sets,try to create the same policy under Policy->Policy sets & use Default network access in Allowed protocol.

 

-Aravind
10 REPLIES 10
Cisco Employee

Re: ISE 2.4 and Radius on Ciena Optical Platforms

Just so I understand correctly, you have a policy set for these optical switches and are trying to match that policy using RADIUS? If that is correct, why not try to match based on device type instead? You can add all those switches to a device type and then us it to match RADIUS requests.

Regards,
Tim
Beginner

Re: ISE 2.4 and Radius on Ciena Optical Platforms

Hi Tim,
Thanks for the suggestion, I did try that as I have created a seperate group for the Optical Chassis however I am getting the same exact behavior. I don't see any hits going up. Even moved the rule to the very top. Almost as if it is not even trying the policy set.
Cisco Employee

Re: ISE 2.4 and Radius on Ciena Optical Platforms

You may be running into an issue I’ve seen in the past. Are you using “equals” in your condition to match the policy set? If so, trying using “starts with” instead. If that doesn’t work, I recommend contacting the TAC to troubleshoot further.

Regards,
Tim
Highlighted
Contributor

Re: ISE 2.4 and Radius on Ciena Optical Platforms

You need to have an authentication rule covering PAP in the Allowed Protocols list. 

Re: ISE 2.4 and Radius on Ciena Optical Platforms

Please attach the policy screenshot and the detailed radius log.

-Aravind
Beginner

Re: ISE 2.4 and Radius on Ciena Optical Platforms

Attached policy screenshot.  Note that the last two rules have shown 0 and 5 hits for weeks, so neither rule is getting hit.  Also, the default device admin allowed protocols profile has pap radius allowed.  Also below is the detailed auth report.

 

Overview

Event 5400 Authentication failed
Username scrubbed
Endpoint Id  
Endpoint Profile  
Authentication Policy Default
Authorization Policy Default
Authorization Result  

Authentication Details

Source Timestamp 2018-10-01 07:53:09.539
Received Timestamp 2018-10-01 07:53:09.539
Policy Server scrubbed
Event 5400 Authentication failed
Failure Reason 15024 PAP is not allowed
Resolution Enable PAP/ASCII protocol for the selected service
Root cause PAP is not allowed
Username scrubbed
Network Device ION015OT03P
Device Type All Device Types#DC Core#Optical
Location All Locations
NAS IPv4 Address scrubbed
Response Time 3 milliseconds

Other Attributes

ConfigVersionId 284
Device Port 5556
DestinationPort 1812
RadiusPacketType AccessRequest
Protocol Radius
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID inv001ise01p/323033956/7111027
CPMSessionID 0a800a28LmSHodSQfzi0b6n5i6Sop3TJkKLH9RgDBnXqTuLbiqs
ISEPolicySetName Default
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations
Device Type Device Type#All Device Types#DC Core#Optical
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username scrubbed
NAS-Identifier scrubbed
Device IP Address scrubbed
Called-Station-ID scrubbed

Result

RadiusPacketType AccessReject
AuthenticationResult NotAllowed
 

Steps

  11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  11117 Generated a new session ID
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - Network Access.Protocol
  15048 Queried PIP - DEVICE.Device Type
  15024 PAP is not allowed
  11003 Returned RADIUS Access-Reject
 
Beginner

Re: ISE 2.4 and Radius on Ciena Optical Platforms

attached allowed protocols "default device admin"

 

Re: ISE 2.4 and Radius on Ciena Optical Platforms

Hi,

You have configured Radius related policies under device admin policy sets,try to create the same policy under Policy->Policy sets & use Default network access in Allowed protocol.

 

-Aravind
Beginner

Re: ISE 2.4 and Radius on Ciena Optical Platforms

Yes! Thanks that was my problem.  Didn't realize they were separate.  I am now hitting the policy.  Now I need to tshoot authorization as I am not getting full admin rights in the Ciena GUI.

Cisco Employee

Re: ISE 2.4 and Radius on Ciena Optical Platforms

IF the default authentication policy does not include PAP, then you will either need to add it to the default or create a new authentication rule that does.

 

Note that authentication & authorization policy hits are not updated real-time. ISE updates the hit counters every 10 minutes or so. Use Livelog error messages to understand what rules are being hit and why.