08-21-2022 07:52 AM
Hello I am using ISE 2.6 in a VM setup. I have two interfaces:
G0: Meant to be for management purpose to login to the UI
G2: Exposed to the network where Radius AAA requests incoming. Its a requirement to use this G2 interface only and not respond to the Radius AAA requests on G0. The G2 interface was added afterwards and I put a static route pointing to the G2 GW for the NADs IP subnet where the auth requests are generated from. So IP reachability is there but we discovered that interface G2 is not responding to the Radius requests. How do we make it to work (besides fixing the IP route for return packets which I already did)?
Thanks
Solved! Go to Solution.
08-22-2022 06:39 AM
able to ping G2 using the NAD IP add in ISE ?
use
ping G2 source NAD IP <as you enter in ISE>
08-21-2022 08:10 AM
@tsuthar ISE listens for RADIUS requests on all interfaces as default.
I assume you can ping the G2 IP address from the NADs?
The RADIUS server configuration on the NADs points to the G2 IP address?
If you run "show aaa server" is the RADIUS server UP?
08-21-2022 08:19 AM
@Rob Ingram Yes the G2 IP is reachable by the NADs. And the AAA configuration is done to point to the G2 IP. We ran traces and the AAA requests are sent from the NADs but there is no response coming back. To test and isolate the issue - I put freerad (in the same subnet as the ISE VM) as an alternative and it is able to authenticate/authorize without any problem. So that tells me somehow ISE is not responding to the AAA requests. Looks like some configuration needs to happen which I am trying to figure out.
Appreciate any help.
08-21-2022 08:25 AM
@tsuthar ok so you can ping the G2 interface, but does the NAD confirm the NAD is UP - "show aaa server"?
Run tcpdump on ISE to confirm the packets reach ISE.
I assume you've defined the NADs in ISE with the correct shared secret? If not there will be no logs.
08-21-2022 08:38 AM
Yes all those basic config is not an issue. Just to add to what tests we ran another test here: I moved one of the NADs to a different network which can reach the G0 interface (even though its not allowed by policy but for testing purpose I managed to do it). I changed the NAD AAA config to point to the G0 IP , the AAA is working just fine. So that tells me G2 is not able to serve the AAA requests.
08-21-2022 08:50 AM
@tsuthar well ISE listens for RADIUS on all interfaces, perhaps there is a bug for your patch version of ISE, have you checked?
Did you confirm whether ISE receives the RADIUS requests destined to the G2 IP address by using tcpdump?
08-21-2022 09:28 AM
Yes Rob. I see the radius requests coming in. See attached a snapshot.
You've mentioned about a possible bug - I have this patch applied: ise-patchbundle-2.6.0.156-Patch10-21081000.SPA.x86_64.tar.gz
Here is the livelog:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11007 | Could not locate Network Device or AAA Client | |
5405 | RADIUS Request dropped |
If it's sending the response on G0 - obviously the NAD won't be reachable.
08-21-2022 09:58 AM
@tsuthar this message "Could not locate Network Device or AAA Client" sticks out.....
Conditions Click the magnifying glass icon in Authentications to display the steps in the Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes The administrator did not correctly configure the network access device (NAD) type in Cisco ISE.
Resolution Add the NAD in Cisco ISE again, verifying the NAD type and settings.
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.pdf
Are you saying the packet capture confirms it's coming from the incorrect interface IP?
08-22-2022 06:17 AM
Sorry Rob - was outside yesterday.
If its a NAD issue that it should not work on when using the G0 interface. I tried re-adding the NAD type and attributes but no luck.
To your earlier question - the tcpdump shows the incoming request to the ISE on the G2 interface (correct interface) but nothing going back or no response going out on G2.
08-22-2022 06:25 AM
from NAD can you ping G2.
how you connect both Interface to SW ?
08-22-2022 06:34 AM
Yes, I am able to ping the G2 interface (stated earlier too) from the NAD as well as the Client. G0 is on a different network for VM-NET-MGMT (for management purpose only i.e. for users to login to ISE etc..). The G2 is on a different Network that connects into the DC Switch where the Client + NAD auth requests come in. Hope this clarifies my setup.
08-22-2022 06:39 AM
able to ping G2 using the NAD IP add in ISE ?
use
ping G2 source NAD IP <as you enter in ISE>
08-22-2022 07:06 AM
@MHM Cisco World Thanks - that was the issue. When I flipped back and forth I didn't change the IP of the NAD in the ISE. Once I corrected auth started working. Thanks for the pointer.
08-22-2022 07:17 AM
You are so so welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide