09-15-2016 12:57 PM - edited 03-11-2019 12:04 AM
Hello, I'm trying to setup our ISE cluster so (in addition to what it already does) it can act as a radius proxy. I have read a number of guides and have:
1) Defined the external Radius server
2) Created an Radius Server Sequence
3) Defined the Radius Server Sequence in a policy (where you usually select allowed protocols).
When using a radius client to test the access, I can confirm it is matching the authentication policy that has the radius server sequence. checking the logs I can see an error stating:
Event 5405 RADIUS Request dropped
Failure Reason 11353 No more external RADIUS servers; can't perform failover
It sounds like an issue between the ISE and the radius servers defined right? I have done packet captures on the radius servers and there is no traffic from the ISE's whatsoever. They simply are not forwarding these requests.
Am I missing something?
We are running 2.0.1.130. 2 nodes as admin, 2 as policy.
Any help or suggestions would be greatly appreciated.
09-15-2016 01:50 PM
Firewalls between your ISE servers and the other radius servers? Routing issues? NAT'ing?
Are you running old style ports 1645 or 1812?
09-15-2016 02:25 PM
No firewalls or NAT. ISE, Radius Proxy, and Radius Client are all in our LAN environment. Routing verified by the fact that each system can ping each other.
I tried both the old and new ports and this doesn't make any difference.
09-15-2016 03:12 PM
Ok, Actually from looking in the log you attached it looks like ISE is actually getting a response, but it's invalid. Maybe try to use the ISE servers tcpdump function, see what ISE thinks is going on. Also double check secret keys in both ends.
09-15-2016 09:51 PM
It's not possible that ISE has received a response, certainly not from the external radius server anyway (because I have done packet captures and the external radius box receives no requests). I wasn't aware that there was tcpdump on the ISE itself so I will give this a go to see what it sees. I will let you know how I get on. Thanks
09-16-2016 01:28 AM
I've done that tcpdump from the ISE node and as I'd presumed, the ISE is not forwarding the radius request to the external radius server.
So the question is why is is not even attempting to forward these requests?
I have tried several radius sources to rule out the source of the first radius packet as being the problem.
09-16-2016 08:06 AM
When you captured from ISE, did you specify the PSN as the node from which to capture?
If the PSN isn't sending the requests, I'd recommend a TAC case to have them look at your setup interactively.
I can verify that the feature of external RADIUS servers works. I have used it for several edu deployments that use the eduroam service.
09-19-2016 03:16 AM
I have also used the radius proxy but on earlier versions of ISE. I have raised a TAC case through our provider and are hoping they will be able to get this working for me.
03-01-2017 06:26 AM
Hi Stewart - Did you ever resolve this issue? I have a similar issue, where the ISE installation matches the rule for external RADIUS sequence, but we never see the traffic towards the external RADIUS servers coming out of any of the ISE boxes.
We also see the "Failure Reason 11353 No more external RADIUS servers; can't perform failover", and we're running 2.0.1 in a 4 node setup (admin, monitor, and 2 PSN)
03-01-2017 11:29 AM
This is kind of obvious but when you define radius server sequence do you select the server under *Selected
03-01-2017 11:07 PM
sdoherty - I can see why you ask since it could be forgotten, but yes, this is already done.
09-15-2016 05:34 PM
I agree with Jan.
The two RADIUS servers are talking - just not establishing a valid connection which is a prerequisite for any authentication. A packet capture should highlight the specific issue.
Have you contacted the admin of the external RADIUS server to check what they are seeing?
09-15-2016 09:48 PM
I'm the admin of the servers, and my initial post stated that I have already done packet captures. The only time I see traffic on the external radius server is when I run a ping - I see icmp packets straight away. Otherwise, there is no traffic from ISE - not during creation of the external radius server object or moments where it should be forwarding these. Cheers
06-06-2017 07:15 AM
I have configured ISE as radius proxy but it is not working. ISE is proxying radius request to Microsoft MFA. Attached the error. Could anybody help on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide