FTD failing ISE Authentication for Remote Access VPN

DannyDulin · ‎02-11-2022

I'm trying to setup Remote Access VPN on my FTDs. Connectivity seems to be working well, however, FTD can't seem to communicate with ISE properly for authentication. I know that connectivity between ISE and FTD is working because I can logon to FTD CLI using AD credentials (via ISE).

VPN troubleshooting reports AAA Marking RADIUS server 10.x.x.x in aaa-server group ISE as failed. This corresponds with my attempts to login to VPN.

VPN is terminated at the outside interface of my FTD which has a Public address. ISE is behind FTD in the same 10 net of the FTD.

Could this possibly be a case of NAT?

Aref Alsouqi · ‎02-11-2022

The difference between when you try to connect to the FTD itself for management purposes and when a remote VPN user tries to connect is that the FTD management accesses are going to be communicated via the FTD management port. However, the remote VPN accesses are going to be relayed by the FTD through the interface configured to reach to the RADIUS server, ISE in this case.

If routing wise the FTD can reach to ISE out of its say inside interface, then the issue could be that the FTD is not added to ISE as a client, in this case the IP address you need to configure on ISE for the FTD would be its inside interface, not the management IP.