Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4902
Views
0
Helpful
6
Replies

CISCO ISE FAILS LOCAL SWITCH CREDENTIALS

Go to solution
AELTC
Level 1
Level 1

‎05-14-2020 06:43 AM

Hi Guys,

I am having a little issue with our Cisco ISE setup, the issue being that for some reason cisco ISE is generating a authentication failure log from every switch we have configured.

 

It is failing our RADIUS-TEST user which is configured locally on the switch to test radius connectivity.

 

I was wondering if anyone else had this issue and how they resolved it?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AELTC

‎05-17-2020 07:25 AM

In order to avoid the failed authentications, the radius-test user should ideally be a valid user from the persepctive of your ISE deployment. It can be local to ISE as long as ISE-local authentication is in your identity source sequence.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-14-2020 07:43 AM

If i understand correctly Local user in switch can not communicated with ISE right ?

 

and you need ISE username  / Password to test again Radius test with ISE - is this make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
AELTC
Level 1
Level 1
In response to balaji.bandi

‎05-14-2020 07:56 AM

Basically when we look at our live logs, we are seeing errors for the username of our RADIUS account to test connectivity.

 

I am not sure if this is the local account configured or the automate-tester causing this issue?

 

I have also noticed when I do test aaa etc new-code we get user rejected, are the two linked?

 

For example we get below error in the log:

 

5405 RADIUS Request dropped

24412 User not found in Active Directory

 

However this is not an AD user it is a user configured on the access switch.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to AELTC

‎05-14-2020 01:28 PM

at this time not sure, we need more information and Logs, how your ISE / Switch configured.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AELTC

‎05-17-2020 07:25 AM

In order to avoid the failed authentications, the radius-test user should ideally be a valid user from the persepctive of your ISE deployment. It can be local to ISE as long as ISE-local authentication is in your identity source sequence.

0 Helpful

Go to solution
AELTC
Level 1
Level 1
In response to Marvin Rhoads

‎05-19-2020 03:31 AM

Hi Marvin,

 

Thank you for your help.

 

That seemed to resolved the failed authentication issue I had to then create a authorization rule to permit it after.

 

I was just wondering It's great that it now passes all checks however, as we have over 100+ switches you can imagine what the logs will look like when the user is checked against constantly is there a way to stop this over populating the logs?

 

Kind regards

Kalid Orfally

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AELTC

‎05-19-2020 04:53 AM - edited ‎05-19-2020 04:55 AM

Sure you can suppress events for that user.

We often do this when there is a load balancer in front of PSNs that send regular queries as health checks.

Here's a good blog post showing exactly how to do it:

https://thecciejourney.wordpress.com/2016/04/10/hiding-filtering-a-specific-user-from-reporting-in-cisco-ise/

...and the Admin Guide reference:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_01011.html#ID169

0 Helpful
Customers Also Viewed These Support Documents