Re: 3560x can't join Cisco ISE with version v15.2

Nabil. · ‎11-06-2018

Hi Folks,

I have Cisco ISE in my network, and currently its running normally with IOS version V12.0 à V15.0, however I had tried to add several SWs 3560x with IOS V15.2, but it didn’t join ISE,

I have included some details below, and I hope you can support me figuring out why I’m seeing the both A/B ISE in Dead state.

Device: WS-C3560X-48P-S, version 15.2(4)E4 & SW image C3560E-UNIVERSALK9-M
The SW is working as a L2 Access SW and handling the L2 switching only with Vlan 200 as management.
The SW is added to ISE and all the keys are correct from both ISE and SWs ends.
The SW is showing both ISEs (HA system) as Dead

IQBGJAF4-SW01#sho aaa servers

RADIUS: id 4, priority 1, host UNKNOWN, auth-port 1645, acct-port 1646

State: current DEAD, duration 93912s, previous duration 0s

Dead: total time 93912s, count 0

Quarantined: No

Authen: request 4, timeouts 4, failover 0, retransmission 3

Response: accept 0, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 1

Throttled: transaction 0, timeout 0, failure 0

Author: request 0, timeouts 0, failover 0, retransmission 0

Response: accept 0, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Account: request 4, timeouts 4, failover 0, retransmission 3

Request: start 0, interim 0, stop 0

Response: start 0, interim 0, stop 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 1

Throttled: transaction 0, timeout 0, failure 0

Elapsed time since counters last cleared: 1d2h5m

Estimated Outstanding Access Transactions: 0

Estimated Outstanding Accounting Transactions: 0

Estimated Throttled Access Transactions: 0

Estimated Throttled Accounting Transactions: 0

Maximum Throttled Transactions: access 0, accounting 0

Requests per minute past 24 hours:

high - 2 hours, 2 minutes ago: 0

low - 2 hours, 2 minutes ago: 0

average: 0

RADIUS: id 6, priority 2, host UNKNOWN, auth-port 1645, acct-port 1646

State: current DEAD, duration 88671s, previous duration 0s

Dead: total time 88671s, count 0

Quarantined: No

Authen: request 0, timeouts 0, failover 0, retransmission 0

Response: accept 0, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Author: request 0, timeouts 0, failover 0, retransmission 0

Response: accept 0, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Account: request 0, timeouts 0, failover 0, retransmission 0

Request: start 0, interim 0, stop 0

Response: start 0, interim 0, stop 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Elapsed time since counters last cleared: 1d37m

Estimated Outstanding Access Transactions: 0

Estimated Outstanding Accounting Transactions: 0

Estimated Throttled Access Transactions: 0

Estimated Throttled Accounting Transactions: 0

Maximum Throttled Transactions: access 0, accounting 0

Requests per minute past 24 hours:

high - 0 hours, 34 minutes ago: 0

low - 0 hours, 34 minutes ago: 0

average: 0

The configuration related to ISE from SW end is

radius server ISE1

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 15

automate-tester username ise probe-on

key xxxxx

radius server ISE2

address ipv4 x.x.x.y auth-port 1812 acct-port 1813

timeout 15

automate-tester username ise probe-on

key xxxxx

username ise password xxxx

!

aaa group server radius ISE

server name ISE1

server name ISE2

deadtime 1

!

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa server radius dynamic-author

client x.x.x.x server-key xxxx

client x.x.x.y server-key xxxx

ip device tracking

ip device tracking probe delay 10

ip http server

ip http secure-server

dot1x system-auth-control

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server deadtime 1

radius-server vsa send accounting

radius-server vsa send authentication

!

epm logging

logging monitor informational

ip radius source-interface Vlan200

logging origin-id ip

logging source-interface Vlan200

logging host x.x.x.x transport udp port 20514

logging host x.x.x.y transport udp port 20514

snmp-server host x.x.x.x traps version 3 auth ISEUSER

snmp-server host x.x.x.y traps version 3 auth ISEUSER

!

snmp-server view ISE iso included

snmp-server group ISE v3 auth read ISE

snmp-server user ISEUSER ISE v3 auth sha xxxx

!

snmp-server trap-source vlan200

snmp-server enable traps snmp linkup linkdown

mac address-table notification change

mac address-table notification mac-move

snmp trap mac-notification change added

snmp trap mac-notification change removed

I look forward to having your support.

Thanks in advance

Regards,

Nabil

ognyan.totev · ‎11-06-2018

Hi, please be sure that system mtu is 1500 or you will see that radius server dead after some minutes you will see alive and when startiing some authentication it will mark dead again . I have 3560 switchies in my deployment and they work normally . My IOS is

WS-C3650-24PS 16.3.6 CAT3K_CAA-UNIVERSALK9

paul · ‎11-06-2018

You are getting timeouts so check for routing issues and make sure the source of your RADIUS requests are what you have programmed into ISE. Perform packet captures on the ISE nodes to verify the RADIUS packets are getting to the ISE nodes. You have the RADIUS sources for VLAN 200 so I would assume that is the interface IP you have loaded into ISE.

If your RADIUS shared secret has odd characters in it I think I have seen issues that that on some versions of code.

I am pretty sure your issues has nothing to do with the switch model or the version of code running on it.

Nabil. · ‎11-06-2018

Thank you guys,
In terms of reachability, ISE is reachable, and radius source is set to what we have configured on ISE.
In fact I have deployed about 30 SWs and all of them are working normally except the 15.2!!!

yalbikaw · ‎11-06-2018

There is something wrong

the switch says it's dead also it says it's unknow it should show host <ip>

also the ports 1812 but the show output is regarding 1645 etc

i would like you to remove the aaa config add them step by step and check the verification

in case the configuration is 100% correct please consider addressing it on a dedicated case

I will test your config by tomorrow if I had the chance however try what I suggest and let me know how it goes

paul · ‎11-06-2018

Good catch. My guess is you have a space or something in your script after the ISE names. In addition to the UNKNOWN the ports are 1645 and 1646 in the "show aaa servers". You have them configured for 1812/1813.

Nabil. · ‎11-07-2018

Greetings... I have wiped all radius related configuration and deleted the SWs from ISE, then apply the configuration step by step, and rejoined them with ISE again and the status changed from Dead to Up. Unfortunately, we couldn’t figure out what was the issue, but your recommendation guys were really helpful. Now I’ll proceed with the next step of testing clients authentication and authorization. Thanks