Share your switch config.

lhviet001 · ‎02-06-2015

Dear guys,

I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:

No Accounting Start. (I have configured accouting on Switch 2960).
Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.

I would greatly appreciate any help you can give me in working this problem.

Have a nice day,

Thanks and Regrads,

jan.nielsen · ‎02-06-2015

Just to clarify, you have of course created your switches in the device list in ISE, and used the samme password both in the switch and in ise for radius ?

How does your radius config look in your switches ?

What software are you running on the switches ?

Venkatesh Attuluri · ‎02-18-2015

Share your switch config..following is sample switch config and check NAD OS compatibility with ISE

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server host isexxxxx auth-port 1812 acct-port 1813
radius-server key xxxx
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
ip radius source-interface gxx
dot1x system-auth-control

interface range gxx
switchport mode access
authentication port-control auto
dot1x pae authenticator
mab
authentication open
authentication host-mode multi-auth
switchport access vlan x
switchport voice vlan x
authentication order mab dot1x
authentication priority dot1x mab
no shutdown
end

ip device tracking
ip dhcp snooping

lhviet001 · ‎03-03-2015

Sorry for late reply.

Here is my switch config.

Current configuration : 8630 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no logging console
enable password ******************
!
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
!
!
aaa server radius dynamic-author
client A.B.C.D server-key keystrings
!
aaa session-id common
system mtu routing 1500
vtp mode transparent
!
!
ip dhcp snooping
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-447922560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-447922560
revocation-check none
rsakeypair TP-self-signed-447922560
!
!
crypto pki certificate chain TP-self-signed-447922560
certificate self-signed 01
xxxxx
dot1x system-auth-control
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 139,153,401-402,999,1501-1502
!
interface FastEthernet0/11
switchport access vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation restrict
mab
!
interface FastEthernet0/12
switchport access vlan 139
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 139
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
!
interface Vlan139
ip address E.F.G.H 255.255.255.0
!
ip default-gateway I.J.K.L
ip http server
ip http secure-server
!
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host A.B.C.D eq 8443
permit tcp any host A.B.C.D eq 443
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 8905
permit tcp any host A.B.C.D eq 8909
permit udp any host A.B.C.D eq 8905
permit udp any host A.B.C.D eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip radius source-interface Vlan139
snmp-server community keystrings RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host A.B.C.D version 2c keystrings mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
radius-server vsa send accounting
radius-server vsa send authentication
!
line con 0
line vty 5 15
!
end

My switch version is

WS-2960 12.2(55)SE5 C2960-LANBASEK9-M

I would greatly appreciate any help you can give me in working this problem.

Cisco ISE some Radius issues