Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
993
Views
0
Helpful
2
Replies

Cisco ISE rected network device

Marco Serato
Level 1
Level 1

‎08-30-2017 05:57 AM - edited ‎02-21-2020 10:33 AM

Hello

I hope somebody can help.

We use Cisco ISE 2.1.

Normally new newtwork devices are simple created (IP, Name, Shared Secret, Group) and it works.

But our new Citrix Netscaler makes some problems.

The netscaler does not send any requests to ISE.

The netscaler hat a function called test, in a packet tracer I can see that ISE sends a reject back.

But citrix netscaler says sucessfully.

Is this normal that ISE sends a recect back in test szenario whout any username?

If the netscaler sends a request with username, ISE does not get any packet. Citrix says radius server does not support authentication functionality.

Can anybody help?

 

Many thanks and greetings

Marco

Labels:
0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎08-30-2017 04:28 PM

Hi

 

The best thing to do here is to go to your ISE PAN node and perform a TCPDump and then share it with this forum. A packet capture says a thousand words!!!  Be sure to perform the TCPDump on the PSN node that the Netscaler is talking to, and taking care of which interface on the PSN (if if have enable more than one interface)

Operations > Troubleshoot > Diagnostic Tools > TCP Dump

By default ISE will send an Access-Reject if the authentication didn't succeed.  This is just a setting and it makes logical sense.  There are cases where you want to send an Access-Accept in the case of a failed authentication (e.g. MAC auth for Guest WebAuth).  But I don't know what your use case it. 

ISE is probably sending back Access-Reject because the radius request was malformed.  i.e. it didn't contain a User-Name attribute (if I understand your problem?)   I am a bit confused by your description.

Are you trying to implement a health monitor (health check) for the Netscaler?  What does the Access-Request from the Netscaler look like (please send us a wireshark of the conversation)

ISE needs to have the Netscaler configured as a NAD and of course Source IP of the Netscaler has to match (not the NAS-IP Address!!! The Netscaler's UDP packets' Source IP address !!!) - then of course usual stuff like shared secret have to match between Netscaler and ISE.

If it's a PAP authentication then make sure PAP is allowed protocol.

And then it's a matter of building an auth policy to validate the User-Name and Password from internal users perhaps?

And then create an Authorization Policy to send either Access-Accept or Access-Reject based on the AuthN that just passed.  All depends on what Netscaler expects as its preferred result.

 

0 Helpful

Marco Serato
Level 1
Level 1
In response to Arne Bier

‎08-31-2017 10:09 PM - edited ‎08-31-2017 10:10 PM

A trace was very helpful.

Within the package it was seen that a not defined username was used. The username is fix in the test szenario an can not be changed (not really useful).

In the ISE log this was not visible because of too many request.

´Can I filter the ISE log field Network Device by IP Address?

In our case I can only filter by device name like H_SWITCH.

0 Helpful
Customers Also Viewed These Support Documents