Re: Cisco ISE Radius Test Failed

UniWAQ · ‎03-22-2017

Hi All,

I am using Cisco ISE and configure switch for Authentication . I tried to connect test connevtivity but it got failed. Switch configuration is mentioned mmentioned , please guide me. Secondly I am using Cisco 3560 with /c3560-ipservicesk9-mz.122-55.SE9.bin , but I am not able to enable IP Device Sensor Features. Any recommendations for IOS with these features:-

*******************************************************************************************
Switch#test aaa group radius testise cisco new-code
User rejected

Switch#
*Mar 3 07:10:08.241: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 59.
*Mar 3 07:10:28.273: %RADIUS-6-SERVERALIVE: Group radius: Radius server 172.16.0.180:1812,1813 is responding again (previously dead).
Switch#

*******************************************************************************************

Switch#show run
Building configuration...

Current configuration : 5060 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
!
aaa new-model
!
!
!
aaa group server radius ISETEST
server 172.16.0.180 auth-port 1645 acct-port 1646
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
client 172.16.0.180 server-key cisco
!
aaa session-id common
system mtu routing 1500
authentication mac-move permit
ip routing
!
!
ip dhcp snooping vlan 5,20,30
no ip dhcp snooping information option
ip dhcp snooping
ip device tracking probe delay 10
ip device tracking
!
!
dot1x system-auth-control
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/4
!
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 172.16.0.229 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 65
radius-server host 172.16.0.180 auth-port 1812 acct-port 1813 timeout 10 retransmit 5 test username testise ignore-acct-port key cisco
radius-server retransmit 5
radius-server timeout 10
radius-server deadtime 1
!
!
line con 0
speed 115200
line vty 5 15
!
end

M. Wisely · ‎03-22-2017

I notice in your config that you are missing a key (to add one the command is 'radius-server key 0' followed by the key you have configured in ISE for the device your trying to setup.

UniWAQ · ‎03-22-2017

I configured but same

#radius-server key 0 cisco

Switch#test aaa group radius testise cisco new-code
User rejected

Switch#
*Mar 3 07:36:27.170: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 84.
*Mar 3 07:36:28.277

M. Wisely · ‎03-22-2017

Have you configured in ISE a network device with the switches IP address? Is radius enabled and does the key match what you configured on the switch?

HARIHARAN S · ‎01-08-2024

I too had the same issue and I aslo added the network device in the ISE server. Even though I get USER REJECTED. I have configured the above radius configuration in my 9200L switch, with the version 17.

Jayanth Velkuri · ‎01-08-2024

if you are receiving user rejected, can you check if the user is added in ISE and the entered password is correct. share live logs for this test from ISE