Solved: Re: 802.1x on ES2020

jupoole · ‎09-28-2017

ISE Team,

Not sure if everyone is aware but we offer an embedded switch called an ES2020 for tactical/hardened remote access kits. Customer is trying to do .1x and having issues with the dead timer settings (see logs below) on that platform. I looked at the compatibility matrix and I don’t see the ES2020 on there. I am curious if this “should” work and do we support this? I am assuming no one really knew about the switch as it is not widely used and it wasn’t really tested. Thoughts?

ES2020

https://www.cisco.com/c/en/us/products/switches/embedded-service-2020-series-switches/index.html

JP

Here are the logs:

Cisco 2020 running 15.2-5E2c.

"Open" authentication (PACL applied).

"authentication event server alive action reinitialize"

At the end of "server-dead" timeout, while attempting to regain connectivity to radius, the switch "deauthorizes" the port for a period (restricting the client) while attempting to regain radius.

*Jan 2 00:11:33: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 1.
*Jan 2 00:11:34: %DOT1X-5-FAIL: Authentication failed for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000C0009C465
*Jan 2 00:11:35: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000C0009C465
.
.
*Jan 2 00:15:41: %RADIUS-6-SERVERALIVE: Group radius: Radius server XXX.XXX.201.166:1645,1646 is responding again (previously dead).
*Jan 2 00:15:41: %RADIUS-4-RADIUS_ALIVE: RADIUS server XXX.XXX.201.166:1645,1646 is being marked alive.
*Jan 2 00:15:52: %RADIUS-4-RADIUS_ALIVE: RADIUS server XXX.XXX.210.12:1645,1646 is being marked alive.
*Jan 2 00:15:58: %RADIUS-4-RADIUS_DEAD: RADIUS server XXX.XXX.201.166:1645,1646 is not responding.
*Jan 2 00:16:10: %DOT1X-5-FAIL: Authentication failed for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000D000EB3CC
*Jan 2 00:16:13: %RADIUS-4-RADIUS_DEAD: RADIUS server XXX.XXX.210.12:1645,1646 is not responding.
*Jan 2 00:16:53: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 24.
*Jan 2 00:16:55: %MAB-5-FAIL: Authentication failed for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000D000EB3CC

hslai · ‎10-03-2017

I would suggest to engage Cisco TAC so TAC may help in verifying the global and interface configurations, etc. ISE compatiblity matrix says,

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication.

...

If I were you, I would perform a wired capture and see any exchanges between the switch and ISE.

Sales Connect has a product page https://salesconnect.cisco.com/#/program/PAGE-5849 which might provide some info.

View solution in original post

hslai · ‎10-03-2017

I would suggest to engage Cisco TAC so TAC may help in verifying the global and interface configurations, etc. ISE compatiblity matrix says,

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication.

...

If I were you, I would perform a wired capture and see any exchanges between the switch and ISE.

Sales Connect has a product page https://salesconnect.cisco.com/#/program/PAGE-5849 which might provide some info.

thomas · ‎10-27-2017

See also Does ISE Support My Network Access Device?

jupoole · ‎10-27-2017

FYI. The 2020 doesn't work.

Justin

408 895 2605