08-31-2018 09:30 AM - edited 02-21-2020 11:01 AM
Hi,
I am using ISE 2.4, ASA and Network monitor tool.
For user authentication from ASA and NM tool, Radius is used. Issue is ISE not getting username of Radius authentication in the radius logs.
In the radius live log, there is no username in the column, it plainly shows username only. PFA error screenshot.
I have added ASA and NM tool as devices in the ISE and enabled Radius authentication. Any idea why this is happening?
Error:
Event |
5405 RADIUS Request dropped |
Failure Reason |
24616 RADIUS token identity store received timeout error |
Resolution |
|
Root cause |
|
08-31-2018 12:24 PM
Your PingFederate Token Server does not appear to be responding in a timely manner when ISE passes it the token for authentication and therefore the whole RADIUS transaction times out. It should be returning a failure response immediately for USERNAME:TOKEN. This is an entirely separate issue from passing the correct USERNAME to the token server in the first place.
For the <USERNAME> problem, I suggest you compare your ASA RADIUS configuration to one of our guides like ISE Design & Integration Guides > Cisco Adaptive Security Appliance (ASA) > How To Configure Posture with AnyConnect Compliance Module and ISE 2.0
For deeper troubleshooting, I suggest you call TAC.
09-01-2018 12:50 AM
09-01-2018 10:14 AM
ISE 2.4 is masking username for most of the failed authentications to meet one of Product Security Requirements. We have an existing enhancement request --
CSCvh91118
09-04-2018 01:41 AM
Hi Thomas,
We are using pingfederate as external server for radius authentication. Logs in pingfederate we are getting is "Ignoring packet from unknown client". ISE IP is added in pingfederate.
In ISE, pingfederate IP is added as external radius server and a radius server sequence is called in the ISE policy set.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide