11-06-2018 05:00 AM
Hi Folks,
I have Cisco ISE in my network, and currently its running normally with IOS version V12.0 à V15.0, however I had tried to add several SWs 3560x with IOS V15.2, but it didn’t join ISE,
I have included some details below, and I hope you can support me figuring out why I’m seeing the both A/B ISE in Dead state.
IQBGJAF4-SW01#sho aaa servers
RADIUS: id 4, priority 1, host UNKNOWN, auth-port 1645, acct-port 1646
State: current DEAD, duration 93912s, previous duration 0s
Dead: total time 93912s, count 0
Quarantined: No
Authen: request 4, timeouts 4, failover 0, retransmission 3
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 1
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 4, timeouts 4, failover 0, retransmission 3
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 1
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 1d2h5m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 2 hours, 2 minutes ago: 0
low - 2 hours, 2 minutes ago: 0
average: 0
RADIUS: id 6, priority 2, host UNKNOWN, auth-port 1645, acct-port 1646
State: current DEAD, duration 88671s, previous duration 0s
Dead: total time 88671s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 1d37m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 34 minutes ago: 0
low - 0 hours, 34 minutes ago: 0
average: 0
radius server ISE1
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
timeout 15
automate-tester username ise probe-on
key xxxxx
radius server ISE2
address ipv4 x.x.x.y auth-port 1812 acct-port 1813
timeout 15
automate-tester username ise probe-on
key xxxxx
username ise password xxxx
!
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 1
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client x.x.x.x server-key xxxx
client x.x.x.y server-key xxxx
ip device tracking
ip device tracking probe delay 10
ip http server
ip http secure-server
dot1x system-auth-control
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication
!
epm logging
logging monitor informational
ip radius source-interface Vlan200
logging origin-id ip
logging source-interface Vlan200
logging host x.x.x.x transport udp port 20514
logging host x.x.x.y transport udp port 20514
snmp-server host x.x.x.x traps version 3 auth ISEUSER
snmp-server host x.x.x.y traps version 3 auth ISEUSER
!
snmp-server view ISE iso included
snmp-server group ISE v3 auth read ISE
snmp-server user ISEUSER ISE v3 auth sha xxxx
!
snmp-server trap-source vlan200
snmp-server enable traps snmp linkup linkdown
mac address-table notification change
mac address-table notification mac-move
snmp trap mac-notification change added
snmp trap mac-notification change removed
I look forward to having your support.
Thanks in advance
Regards,
Nabil
11-06-2018 06:00 AM
Hi, please be sure that system mtu is 1500 or you will see that radius server dead after some minutes you will see alive and when startiing some authentication it will mark dead again . I have 3560 switchies in my deployment and they work normally . My IOS is
WS-C3650-24PS 16.3.6 CAT3K_CAA-UNIVERSALK9
11-06-2018 06:05 AM
You are getting timeouts so check for routing issues and make sure the source of your RADIUS requests are what you have programmed into ISE. Perform packet captures on the ISE nodes to verify the RADIUS packets are getting to the ISE nodes. You have the RADIUS sources for VLAN 200 so I would assume that is the interface IP you have loaded into ISE.
If your RADIUS shared secret has odd characters in it I think I have seen issues that that on some versions of code.
I am pretty sure your issues has nothing to do with the switch model or the version of code running on it.
11-06-2018 12:04 PM
11-06-2018 01:02 PM
There is something wrong
the switch says it's dead also it says it's unknow it should show host <ip>
also the ports 1812 but the show output is regarding 1645 etc
i would like you to remove the aaa config add them step by step and check the verification
in case the configuration is 100% correct please consider addressing it on a dedicated case
I will test your config by tomorrow if I had the chance however try what I suggest and let me know how it goes
11-06-2018 01:06 PM
Good catch. My guess is you have a space or something in your script after the ISE names. In addition to the UNKNOWN the ports are 1645 and 1646 in the "show aaa servers". You have them configured for 1812/1813.
11-07-2018 04:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide