Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
4
Replies

DTLS ISE/router/windowsCA

Go to solution
williamfraatz
Level 1
Level 1

‎06-07-2022 08:42 AM

Having an issue getting radius with DTLS setup on my network.  I have a lab setup which kinda mimics a production environment.  So what I have so far is my router made a certificate request, its been signed by the CA.  Root CA cert has been imported as well.  the Root cert has also been imported to ISE.  The DTLS config on ISE is pretty straight forward.  I see in some other guides that the router/switch has a self signed cert usually TP-some-numbers.  My router does not have one.  I just feel like I'm missing something simple  Below is my router config:  (certs below have random changes to them but left them to show a more complete config)  The error I see on the  debug of the router:  

*Jun 7 15:16:28.246: %SSH-5-DISABLED: SSH 2.0 has been disabled
*Jun 7 15:16:28.247: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Jun 7 15:16:38.656: RADIUS/ENCODE(00001F5F): ask "Password: "
*Jun 7 15:16:38.657: RADIUS/ENCODE(00001F5F): send packet; GET_PASSWORD
*Jun 7 15:16:42.355: RADIUS/ENCODE(00001F5F):Orig. component type = Exec
*Jun 7 15:16:42.355: RADIUS(00001F5F): Config NAS IP: 192.168.100.2
*Jun 7 15:16:42.355: RADIUS(00001F5F): Config NAS IPv6: ::
*Jun 7 15:16:42.355: RADIUS/ENCODE(00001F5F): acct_session_id: 4019
*Jun 7 15:16:42.356: RADIUS(00001F5F): sending
*Jun 7 15:16:42.356: RADIUS(00001F5F): Send Access-Request to 192.168.100.254:2083 id 50173/21, len 81
RADIUS: authenticator 6B 09 22 F4 2B CC E1 77 - A2 6C 05 97 AF 97 A2 16
*Jun 7 15:16:42.356: RADIUS: User-Name [1] 13 "username"
*Jun 7 15:16:42.356: RADIUS: User-Password [2] 18 *
*Jun 7 15:16:42.357: RADIUS: NAS-Port [5] 6 1
*Jun 7 15:16:42.357: RADIUS: NAS-Port-Id [87] 6 "tty1"
*Jun 7 15:16:42.357: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 7 15:16:42.357: RADIUS: Service-Type [6] 6 Login [1]
*Jun 7 15:16:42.358: RADIUS: NAS-IP-Address [4] 6 192.168.100.2
*Jun 7 15:16:42.368: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Jun 7 15:16:42.368: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Jun 7 15:16:44.371: RADIUS/ENCODE(00001F5F): ask "Password: "
*Jun 7 15:16:44.371: RADIUS/ENCODE(00001F5F): send packet; GET_PASSWORD

 

 

 

ise output:

Overview
Event 5450 RADIUS DTLS handshake failed
Username
Endpoint Id
Endpoint Profile
Authorization Result

Authentication Details
Source Timestamp 2022-06-07 15:16:42.375
Received Timestamp 2022-06-07 15:16:42.375
Policy Server ise
Event 5450 RADIUS DTLS handshake failed

Other Attributes
ConfigVersionId 81
Device Port 49748
DestinationPort 2083
TLSCipher unknown
TLSVersion DTLSv1.2
Device IP Address 192.168.100.2

 

aaa group server radius radiusise
server name ise
ip radius source-interface GigabitEthernet1
!
aaa authentication login default group radiusise local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
ip name-server 192.168.100.10
ip domain name md.dev.lab
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki trustpoint ca1.md.dev.lab
enrollment terminal
fqdn ca1.md.dev.mil.lab
password 7 xxxxxxxxxxxxxxxx
subject-name CN=ca1.md.dev.lab,O=xxx,C=xx,xx=xx
revocation-check crl
source interface GigabitEthernet1
rsakeypair ca
auto-enroll regenerate
!
!
crypto pki certificate chain ca1.md.dev.lab
certificate 1D0000001312AF5F13741ADBFA000000000011
30820580 30820468 A0030201 0202131D 00000013 12AF5F13 741ADBFA 10000000
0013300D 06092A86 4886F70D 01010B05 00306731 13301106 0A099226 8993F22C
64011916 036C6162 31133011 060A0992 268993F2 2C640119 16036D69 6C311330
11060A09 92268993 F22C6401 19160364 65763112 3010060A 09922689 93F22C64
01191602 6D643112 30100603 55040313 096D642D 4341312D 4341301E 170D3232
30363037 32313035 34335A17 0D323430 36303632 31303534 335A3068 3121301F
06092A86 4886F70D 01090213 12636131 2E6D642E 6465762E 6D696C2E 6C616231
0B300906 03550406 13025553 310B3009 06035504 0813024D 44310C30 0A060355
040A1303 45435331 1B301906 03550403 13126361 312E6D64 2E646576 2E6D696C
2E6C6162 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A
02820101 00CCFA80 762DAB59 A01AF691 301E433D A7523AE4 6A9C311B 41E4D93D
88274192 53030504 550B4218 81F340CF 12540360 56438E9F 7DEF6FBD 90D5C785
8D4F3269 BFE6802E 284F4161 07E72C4B 92E12253 B60C8FAC 9580E384 1036AEA8
1EFC14D5 1230FE37 C2050AA0 951E4418 5A9EC27C 1B56F301 F1E985D0 256A80E6
B0827E9F E8570AAB A44FB185 26DA857D 70AB7603 FFEF1A9E 3C9E876E AB5932A5
26086039 39063CE6 5A60CB38 656E0B38 E704D4E0 3E1389AF 7320A76B 909AA385
64420CE7 7DD8F844 3ADC3513 458E2EAE C7865688 071A9361 C01F96F5 F21DABF9
4EB0B3E6 2C3FDFCD 8047790C 3BECC9E3 DCF126C2 4A445224 71BD811B EF10EACB
39A51878 81020301 0001A382 02223082 021E300E 0603551D 0F0101FF 04040302
05A0301D 0603551D 0E041604 1415B183 B8B3B237 99CFA615 B78EED81 B4E99DD7
E7301F06 03551D23 04183016 8014BFA6 897441A5 306C7BD3 5BD4271A EAC1A271
4F0E3081 CC060355 1D1F0481 C43081C1 3081BEA0 81BBA081 B88681B5 6C646170
3A2F2F2F 434E3D6D 642D4341 312D4341 2C434E3D 6361312C 434E3D43 44502C43
4E3D5075 626C6963 2532304B 65792532 30536572 76696365 732C434E 3D536572
76696365 732C434E 3D436F6E 66696775 72617469 6F6E2C44 433D6D64 2C44433D
6465762C 44433D6D 696C2C44 433D6C61 623F6365 72746966 69636174 65526576
6F636174 696F6E4C 6973743F 62617365 3F6F626A 65637443 6C617373 3D63524C
44697374 72696275 74696F6E 506F696E 743081C4 06082B06 01050507 01010481
B73081B4 3081B106 082B0601 05050730 028681A4 6C646170 3A2F2F2F 434E3D6D
642D4341 312D4341 2C434E3D 4149412C 434E3D50 75626C69 63253230 4B657925
32305365 72766963 65732C43 4E3D5365 72766963 65732C43 4E3D436F 6E666967
75726174 696F6E2C 44433D6D 642C4443 3D646576 2C44433D 6D696C2C 44433D6C
61623F63 41436572 74696669 63617465 3F626173 653F6F62 6A656374 436C6173
733D6365 72746966 69636174 696F6E41 7574686F 72697479 30210609 2B060104
01823714 0204141E 12005700 65006200 53006500 72007600 65007230 13060355
1D25040C 300A0608 2B060105 05070301 300D0609 2A864886 F70D0101 0B050003
82010100 5118CA5F 500B3C58 AF59F7EC E9C9B8CA 8DD31906 ECD15C41 21E40585
D17E5AD0 FF73992D E5933A2B F8478E6F EECDAA82 9A9CC315 4C026A32 41DC749B
7CB95F25 A7FD6EF8 9CFD8E02 743EDD71 720CF8E3 7DE98A0E A06AA8ED 1EF22184
5CD62CA6 859099B6 56A1F616 A3D913AC F2BC2278 0CB40700 66D59856 A86AF53F
quit
certificate ca 1C0178FA856557B1476F2A06FE6D0271
308203A9 30820291 A0030201 0202101C 0178FA85 6557B147 6F2A06FE 6D027830
0D06092A 864886F7 0D01010B 05003067 31133011 060A0992 268993F2 2C640119
16036C61 62311330 11060A09 92218993 F22C6401 1916036D 696C3113 3011060A
09922689 93F22C64 01191603 64657631 12301006 0A099226 8993F22C 64011916
026D6431 12301006 03550403 13096D64 2D434131 2D434130 1E170D32 32303630
31313432 3135345A 170D3237 30363031 31343331 35345A30 67311330 11060A09
92268993 F22C6401 1916036C 61623113 3011060A 09922689 93F22C64 01191603
6D696C31 13301106 0A099226 8993F22C 64011916 03646576 31123010 060A0992
268993F2 2C640119 16026D64 31123010 06035504 0313096D 642D4341 312D4341
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
0094CCCE 781F1CA4 82240CE1 9139D992 49E10CB2 E2C9C8F4 E8B25EF0 210A8197
837D0EC4 EC0E87F9 E3F94CC6 6ACBAAAD 72C4DEFB AEE290B4 7A604EEE 1A283989
7FB3F732 22E2AFD0 556C5FE3 99508D30 B8E75D49 EEED4017 1331CCA4 8962ABFF
1D5548DE 06F7D9CF B55D1E07 73E74627 0E9E6519 FD493795 0A8F56C8 E5D6C68D
5AFBA5F6 12D57B87 77DAC623 A2BB87CD BFE540B0 A11667D5 B407E99B 83393BB5
2C1303F0 C983E3D1 0E5CF863 DF04EE40 79722FE2 D20057A3 44D8760B CAD83043
CFBCB738 1F79784A 27FC9B6A A540E77C E10C5560 AE0BA114 F9E922F9 C07A5FFC
50E85236 FF8A52EA D8DB8C69 A16A6881 B99BB773 96BDC36C 1D2419F0 793DFE11
E9020301 0001A351 304F300B 0603551D 0F040403 02018630 0F060355 1D130101
FF040530 030101FF 301D0603 551D0E04 160414BF A6897441 A5306C7B D35BD427
1AEAC1A2 714F0E30 1006092B 06010401 82371501 04030201 00300D06 092A8648
86F70D01 010B0500 03820101 0002A100 2270CDD9 0EDAE998 39CAE30F FAD403D4
86FB1C57 78D46036 49988987 E253FB7F 32D70CC0 6AD7B0B7 F470CF2E C4EA9DBE
890C6859 74F0B687 DB53FC48 C450905D 3AA58FD8 3078B9BF CC16B6C8 B381D18A

quit
!
!
!
!
!
!
!
!
!
spanning-tree extend system-id
!
!
username xxx
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
ip address 192.168.100.2 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip http tls-version TLSv1.2
!
ip tftp source-interface GigabitEthernet2
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip ssh source-interface GigabitEthernet1
ip ssh rsa keypair-name ca
ip ssh version 2
!
!
!
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ise
address ipv4 192.168.100.254
dtls port 2083
dtls connectiontimeout 10
dtls trustpoint client ca1.md.dev.lab
dtls trustpoint server ca1.md.dev.lab
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
!
ntp server ip 0.pool.ntp.org
ntp server ip 3.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 1.pool.ntp.org
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end
   

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
williamfraatz
Level 1
Level 1

‎06-15-2022 11:03 AM

Fixed the issue.  There was an NTP issue, and one of the certs was created about 10 hours into the future.  

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎06-07-2022 10:10 AM

@williamfraatz did you configure ISE as per this guide?

https://community.cisco.com/t5/networking-documents/configuring-radius-over-dtls-with-cat9k-and-ise-3-0/ta-p/4438427

...in particular the configuration of the NAD?

 

Is your CRL server available? try without doing a CRL check.

 

0 Helpful

Go to solution
williamfraatz
Level 1
Level 1
In response to Rob Ingram

‎06-08-2022 09:20 AM

My NAD is configured just like in the guide.  I did  revocation-check none.  still having the same issue but now I'm not even seeing my router as an active endpoint and nothing populating live logs when I try to ssh and use my radius account from AD.

0 Helpful

Go to solution
williamfraatz
Level 1
Level 1
In response to williamfraatz

‎06-09-2022 06:32 AM

The network is small  192.168.100.0/24  all on the same subnet.  i can ping ise from the router via hostname.

0 Helpful

Go to solution
williamfraatz
Level 1
Level 1

‎06-15-2022 11:03 AM

Fixed the issue.  There was an NTP issue, and one of the certs was created about 10 hours into the future.  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents