Solved: Cisco ISE and external radius server issue

Michele Toblini · ‎11-29-2018

Hello guys,

i configured Cisco ISE for Eduroam WIFI. The inbound request (users of my university in another organizations) works like a charm. I got issues of other organization's users coming on my premises. ISE is natted outside with a public ip address with an access list permitting just Garr's radius server to contact it.

When i try to connect Cisco ISE gives me the following error:

Event	5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason	11353 No more external RADIUS servers; can't perform failover
Resolution	Verify the following: At least one of the remote RADIUS servers in the ISE proxy service is up and configured properly ; Shared secret specified in the ISE proxy service for every remote RADIUS server is same as the shared secret specified for the ISE server ; Port of every remote RADIUS server is properly specified in the ISE proxy service.
Root cause	Failover is not possible because no more external RADIUS servers are configured. Dropping the request.

Thanks

Michele

Jason Kunst · ‎11-29-2018

I would recommend going through this and then if trouble log a case with TAC
https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise-2-1/ta-p/3655770

View solution in original post

Michele Toblini · ‎11-30-2018

I figured out what was wrong. there was a problem in the nat, it was working one way (from outside to inside). The reverse it was hitting the general rule and ISE was coming out with a wrong IP address.

Now everything is fine but i had to tune the authorization rule. Somehow the device-type was not eduroam (i called that their proxy server) but the wlc so it was not hitting the right auth rule.

Thanks for the answer.

Michele

View solution in original post

Jason Kunst · ‎11-29-2018

I would recommend going through this and then if trouble log a case with TAC
https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise-2-1/ta-p/3655770

Michele Toblini · ‎11-30-2018

I figured out what was wrong. there was a problem in the nat, it was working one way (from outside to inside). The reverse it was hitting the general rule and ISE was coming out with a wrong IP address.

Now everything is fine but i had to tune the authorization rule. Somehow the device-type was not eduroam (i called that their proxy server) but the wlc so it was not hitting the right auth rule.

Thanks for the answer.

Michele

Gehrig_W · ‎06-25-2021

Hello,

we had the same problem and solved it by changing the Radius Accounting for Radius Proxy Server from Remote Accounting to Local Accounting. See Administration -> Network Ressources -> Radius Server Sequences and edit Your entry/entries accordingly.

Found following explanation on: Why might my Cisco ISE logs show my Authentication Proxy server as unavailable? (duo.com)

The Authentication Proxy does not use the RADIUS accounting Port 1813. When Remote Accounting is enabled, the ISE attempts to proxy RADIUS accounting requests via Port 1813. When the ISE attempts to do this, it is unsuccessful and it will mark the server as unavailable.

Somewhere else I found inof about hard-coded dead-time of 5 minutes for Proxy-Radius-Server.

Please try.

Greetings

Wini