Solved: ISE 2.4 and Radius on Ciena Optical Platforms

cmlozano8 · ‎09-27-2018

Hi All,

I am having difficulty getting radius authentication to work with our Ciena 6500 optical chassis. Trying to do Radius with PAP. I have policy sets defined with TACACs and Radius. Tacacs works fine. I have a single policy that is suppossed to match network access protocol radius and from their authorize based on user and group, however I can't seem to get any hits on the policy. The radius live logs indicate it is hitting default which doesn't permit PAP. However the hit counters don't increment for the default catch all rule either at the bottom so I am not sure what I am hitting. If I can get the requests to hit the policy I created I think I should be good. The only condition for the policy is Network Access Protocol Radius. Is there something else I need to do to make this work? Or is there something else I may need to consider given they are not Cisco devices?

We currently have the Ciena devices successfully doing Radius Auth via Windows Network Policy Server without issue.

Aravind Ravichandran · ‎10-01-2018

Hi,

You have configured Radius related policies under device admin policy sets,try to create the same policy under Policy->Policy sets & use Default network access in Allowed protocol.

-Aravind

View solution in original post

Timothy Abbott · ‎09-27-2018

Just so I understand correctly, you have a policy set for these optical switches and are trying to match that policy using RADIUS? If that is correct, why not try to match based on device type instead? You can add all those switches to a device type and then us it to match RADIUS requests.

Regards,
Tim

cmlozano8 · ‎09-27-2018

Hi Tim,
Thanks for the suggestion, I did try that as I have created a seperate group for the Optical Chassis however I am getting the same exact behavior. I don't see any hits going up. Even moved the rule to the very top. Almost as if it is not even trying the policy set.

Timothy Abbott · ‎09-27-2018

You may be running into an issue I’ve seen in the past. Are you using “equals” in your condition to match the policy set? If so, trying using “starts with” instead. If that doesn’t work, I recommend contacting the TAC to troubleshoot further.

Regards,
Tim

Peter Koltl · ‎09-30-2018

You need to have an authentication rule covering PAP in the Allowed Protocols list.

Aravind Ravichandran · ‎09-30-2018

Please attach the policy screenshot and the detailed radius log.

-Aravind

cmlozano8 · ‎10-01-2018

Attached policy screenshot. Note that the last two rules have shown 0 and 5 hits for weeks, so neither rule is getting hit. Also, the default device admin allowed protocols profile has pap radius allowed. Also below is the detailed auth report.

Overview

Event	5400 Authentication failed
Username	scrubbed
Endpoint Id
Endpoint Profile
Authentication Policy	Default
Authorization Policy	Default
Authorization Result

Authentication Details

Source Timestamp	2018-10-01 07:53:09.539
Received Timestamp	2018-10-01 07:53:09.539
Policy Server	scrubbed
Event	5400 Authentication failed
Failure Reason	15024 PAP is not allowed
Resolution	Enable PAP/ASCII protocol for the selected service
Root cause	PAP is not allowed
Username	scrubbed
Network Device	ION015OT03P
Device Type	All Device Types#DC Core#Optical
Location	All Locations
NAS IPv4 Address	scrubbed
Response Time	3 milliseconds

Other Attributes

ConfigVersionId	284
Device Port	5556
DestinationPort	1812
RadiusPacketType	AccessRequest
Protocol	Radius
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
AcsSessionID	inv001ise01p/323033956/7111027
CPMSessionID	0a800a28LmSHodSQfzi0b6n5i6Sop3TJkKLH9RgDBnXqTuLbiqs
ISEPolicySetName	Default
DTLSSupport	Unknown
Network Device Profile	Cisco
Location	Location#All Locations
Device Type	Device Type#All Device Types#DC Core#Optical
IPSEC	IPSEC#Is IPSEC Device#No
RADIUS Username	scrubbed
NAS-Identifier	scrubbed
Device IP Address	scrubbed
Called-Station-ID	scrubbed

Result

RadiusPacketType	AccessReject
AuthenticationResult	NotAllowed

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11117	Generated a new session ID
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Network Access.Protocol
	15048	Queried PIP - DEVICE.Device Type
	15024	PAP is not allowed
	11003	Returned RADIUS Access-Reject

cmlozano8 · ‎10-01-2018

attached allowed protocols "default device admin"

Aravind Ravichandran · ‎10-01-2018

Hi,

You have configured Radius related policies under device admin policy sets,try to create the same policy under Policy->Policy sets & use Default network access in Allowed protocol.

-Aravind

cmlozano8 · ‎10-01-2018

Yes! Thanks that was my problem. Didn't realize they were separate. I am now hitting the policy. Now I need to tshoot authorization as I am not getting full admin rights in the Ciena GUI.

thomas · ‎09-30-2018

IF the default authentication policy does not include PAP, then you will either need to add it to the default or create a new authentication rule that does.

Note that authentication & authorization policy hits are not updated real-time. ISE updates the hit counters every 10 minutes or so. Use Livelog error messages to understand what rules are being hit and why.