Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4189
Views
0
Helpful
4
Replies

ISE 2.4 not getting radius username

manvik
Level 3
Level 3

‎08-31-2018 09:30 AM - edited ‎02-21-2020 11:01 AM

Hi,

I am using ISE 2.4, ASA and Network monitor tool. 

For user authentication from ASA and NM tool, Radius is used. Issue is ISE not getting username of Radius authentication in the radius logs.

In the radius live log, there is no username in the column, it plainly shows username only. PFA error screenshot.

 

I have added ASA and NM tool as devices in the ISE and enabled Radius authentication. Any idea why this is happening?

 

Error:

Event

5405 RADIUS Request dropped

Failure Reason

24616 RADIUS token identity store received timeout error

Resolution


Check that the RADIUS token server is configured correctly. Check that the network connection is working. Try to ping the RADIUS token server to verify that it is available. Check that the RADIUS token server is enabled and running.

Root cause


RADIUS token identity store received timeout error

 

1 person had this problem
Preview file
116 KB
0 Helpful
4 Replies 4

thomas
Cisco Employee
Cisco Employee

‎08-31-2018 12:24 PM

Your PingFederate Token Server does not appear to be responding in a timely manner when ISE passes it the token for authentication and therefore the whole RADIUS transaction times out. It should be returning a failure response immediately for USERNAME:TOKEN. This is an entirely separate issue from passing the correct USERNAME to the token server in the first place.

 

For the <USERNAME> problem, I suggest you compare your ASA RADIUS configuration to one of our guides like  ISE Design & Integration Guides > Cisco Adaptive Security Appliance (ASA) > How To Configure Posture with AnyConnect Compliance Module and ISE 2.0

 

For deeper troubleshooting, I suggest you call TAC.

0 Helpful

manvik
Level 3
Level 3
In response to thomas

‎09-01-2018 12:50 AM

Thank You Thomas,
You are right, PingFederate is not responding. We tested it with a working NAC server.
We need to figure our the USERNAME problem still.
0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to manvik

‎09-01-2018 10:14 AM

ISE 2.4 is masking username for most of the failed authentications to meet one of Product Security Requirements. We have an existing enhancement request -- 

CSCvh91118

0 Helpful

manvik
Level 3
Level 3
In response to thomas

‎09-04-2018 01:41 AM

Hi Thomas,

We are using pingfederate as external server for radius authentication. Logs in pingfederate we are getting is "Ignoring packet from unknown client". ISE IP is added in pingfederate.

In ISE, pingfederate IP is added as external radius server and a radius server sequence is called in the ISE policy set.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents