Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
4
Replies

Device Authentication Issue

mpbaker82
Level 1
Level 1

‎01-31-2019 07:01 AM

I use ISE in a  distributive deployment.

 

The NAD  in question is configured with two radius server IP's. (Radius 1 (local PSN) > Radius 2 (Backup PAN))

 

I can reach both my local psn and remote pan ise nodes from this nad. (i can ping both ISE nodes with no problem)

 

I can even authenticate with the nad device. The live radius logs show the device authentication successfully. My issue is that its authenticating with the wrong policy server. The authentication request is sent to the remote policy server (backup) and not using the local policy server.

 

i would expect the authentication request to use the local policy server and not the remote policy server. 

 

ideas?

 

 

 

 

0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎01-31-2019 08:08 AM

 

 - Depends on the configuration of the NAD  , check the how the PSN's are configured and the priority-order.

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎01-31-2019 09:03 AM

This can vayr a bit based on the configuration used in your environment. An example of how this works follows.

You will have two radius servers configured on the NAD. The order these two pieces appear is does not matter.
!!!Define radius server 1
radius server ISE-East
address ipv4 10.100.100.100 auth-port 1812 acct-port 1813
key xxxxx
!
!!!Define raidus server 2
radius server ISE-West
address ipv4 10.200.200.200 auth-port 1812 acct-port 1813
key xxxxx
!

You then should have your radius servers defined as a group. The order that the radius server names above appear in this group defines the order that they are used. In this case, ISE-West will be used first, ISE-East second (when there is an issue with first).
!
aaa group server radius <your_group_name>
server name ISE-West
server name ISE-East
!

Some alternate configs exist where the NAD can do load balancing across radius server nodes. If you scrub a config and share it we can confirm for you if this is the case, or at least why you are seeing the behavior you are.
0 Helpful

mpbaker82
Level 1
Level 1
In response to Damien Miller

‎01-31-2019 10:04 AM

when we use server groups thats how we set it up. but this device uses radius-server host

AAA Configuration

radius-server host 10.100.100.100 (local ise node)
radius-server host 10.200.200.200 (remote ise node)

aaa authentication login default radius local

radius-server key 7 <key here>

 

its for soem reason skipping the 10.100.100.100 and going right too 10.200.200.200 which doesnt make any sense when i can ping 10.100.100.100. I know the device can reach the local ise node

 

 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to mpbaker82

‎01-31-2019 02:20 PM

I was going to play with this in my lab but I didn't have a switch on a version of software that supported the old radius-server host config. It took me a while but I found an old 2960 in my closet and played with it a bit.

I found that the aaa server priority it set based on which server is configured first, sh aaa servers. The servers go in to the running config in the order I configure them on my test switch and they persist this way through reloads. I was able to flip the order removing priority one from the running/startup config, then entering it in to the config again.
0 Helpful
Customers Also Viewed These Support Documents