cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1085
Views
0
Helpful
4
Replies
Highlighted
Beginner

ISE 2.4 not getting radius username

Hi,

I am using ISE 2.4, ASA and Network monitor tool. 

For user authentication from ASA and NM tool, Radius is used. Issue is ISE not getting username of Radius authentication in the radius logs.

In the radius live log, there is no username in the column, it plainly shows username only. PFA error screenshot.

 

I have added ASA and NM tool as devices in the ISE and enabled Radius authentication. Any idea why this is happening?

 

Error:

Event

5405 RADIUS Request dropped

Failure Reason

24616 RADIUS token identity store received timeout error

Resolution


Check that the RADIUS token server is configured correctly. Check that the network connection is working. Try to ping the RADIUS token server to verify that it is available. Check that the RADIUS token server is enabled and running.

Root cause


RADIUS token identity store received timeout error

 

Everyone's tags (6)
4 REPLIES 4
Cisco Employee

Re: ISE 2.4 not getting radius username

Your PingFederate Token Server does not appear to be responding in a timely manner when ISE passes it the token for authentication and therefore the whole RADIUS transaction times out. It should be returning a failure response immediately for USERNAME:TOKEN. This is an entirely separate issue from passing the correct USERNAME to the token server in the first place.

 

For the <USERNAME> problem, I suggest you compare your ASA RADIUS configuration to one of our guides like  ISE Design & Integration Guides > Cisco Adaptive Security Appliance (ASA) > How To Configure Posture with AnyConnect Compliance Module and ISE 2.0

 

For deeper troubleshooting, I suggest you call TAC.

Beginner

Re: ISE 2.4 not getting radius username

Thank You Thomas,
You are right, PingFederate is not responding. We tested it with a working NAC server.
We need to figure our the USERNAME problem still.
Cisco Employee

Re: ISE 2.4 not getting radius username

ISE 2.4 is masking username for most of the failed authentications to meet one of Product Security Requirements. We have an existing enhancement request -- 

CSCvh91118

Beginner

Re: ISE 2.4 not getting radius username

Hi Thomas,

We are using pingfederate as external server for radius authentication. Logs in pingfederate we are getting is "Ignoring packet from unknown client". ISE IP is added in pingfederate.

In ISE, pingfederate IP is added as external radius server and a radius server sequence is called in the ISE policy set.

 

Everyone's tags (3)