Solved: Re: Cisco ISE - 11351 Failed to read RADIUS server sequence configuration; dropping request

getamessay · ‎03-26-2020

Hello,

I have Cisco ISE (VM 2.7 version) PoC deployment with RADIUS server sequence configured for MAB authentication. I use similar config in production deployment (SNS-3515-K9) with version 2.7 and I have no issue. No idea what I missed. Your help is highly appreciated. Thanks

Here is the error logs:

Event	5405 RADIUS Request dropped
Failure Reason	11351 Failed to read RADIUS server sequence configuration; dropping request
Resolution	Verify the ISE proxy service configuration.
Root cause	ISE detected an error when trying to read the RADIUS server sequence configuration. Dropping the request.

Cristian Matei · ‎03-27-2020

Hi,

Sometimes VM's just hang. Can you remove the External RADIUS configuration, reload ISE, reconfigure it and see if it works?

Regards,

Cristian Matei.

View solution in original post

Greg Gibbs · ‎03-26-2020

Can you share some more information about your architecture and policy configuration? The RADIUS Server Sequence is only used when ISE is acting as a RADIUS Proxy (hence, the message about the 'ISE proxy service') and forwarding RADIUS requests to a secondary RADIUS server. It is not used when ISE is the RADIUS server handling the request, which is most often the case with MAB authenticated endpoints.

For the typical scenario where ISE is authenticating and authorising the MAB endpoint, you would specify an Allowed Protocols list in the Policy Set rather than a RADIUS Server Sequence.

getamessay · ‎03-27-2020

I use ISE as a RADIUS Proxy forwarding RADIUS requests to a secondary RADIUS server (FreeRadius server) handling the request. The same configuration works when ISE is hardware based - SNS-3515.

Cristian Matei · ‎03-27-2020

Hi,

Sometimes VM's just hang. Can you remove the External RADIUS configuration, reload ISE, reconfigure it and see if it works?

Regards,

Cristian Matei.

getamessay · ‎03-27-2020

Dear Cristian,

Very interesting! I did as you suggested and it works.

Many Thanks!
Getamessay

Stephen Buck · ‎07-06-2020

I tried the same thing and at first, it worked, but then started to fail again with the same error. In my case, I'm using a Duo RADIUS Proxy to enable MFA for VPN connections. Prior to 2.7, this worked flawlessly by using a RADIUS sequence pointing to two Duo Proxy servers. On the Duo proxy server, I configured it for RADIUS authentication back to ISE and it worked very well since ISE 2.4. After the upgrade to 2.7 with patch 1, I started seeing this error. I deleted the external RADIUS servers, removed the RADIUS sequence, rebooted both my ISE nodes, and then re-configured the external RADIUS servers and sequences. Things worked for a little bit, but then started to fail again and are currently not working.

Failure Reason	11351 Failed to read RADIUS server sequence configuration; dropping request
Resolution	Verify the ISE proxy service configuration.
Root cause	ISE detected an error when trying to read the RADIUS server sequence configuration. Dropping the request.

Arne Bier · ‎01-27-2021

I ran into this issue today as well. ISE 2.7 p2. The RADIUS sequence was configured roughly two weeks ago and it was all working well until I saw this error today. I deleted the sequence and rebooted ISE. Then added the sequence back in (I didn't delete the two radius server entries).

Amazing(ly) shocking ... how can this be a gold star release? Basic RADIUS stuff. #not_impressed

markus.forrer · ‎02-26-2021

I think you hit Bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw66483

I observed this with only go into the External Sequence without changing anything.

So just create it and tell everyone not to touch the sequence.....

Still not fixed with P3....