ISE acting as Radius Proxy Client?

Aaron Street · ‎02-27-2014

Hi,

I have an issue where a remote company has there internal redius server and I have my ISE radius server.

When there users come to my site, they can authenticate with my wireless and my ISE server proxies the request to there home site to be authenticated and tells me if I should allow them access or not.

So standard radius proxy and it all works well when my ISE server begins the exchange.

However if my staff go to there site the reverse is not working, they are proxying the requests back OK, and I can see on the firewall and router the incomming radius packets destined to my ISE server. But there is no recourd on the ISE server of ever reciving them and it all times out.

Is tehre some thing I need to do to allow ISE to act as the client in a radius proxy set up?

Cheers.

Oh I am running version 1.2

Muhammad Munir · ‎03-03-2014

Hi Aaron,

Check the Cisco ISE dashboard (Operations > Authentications) for any indication regarding the nature of RADIUS communication loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.)

Log into the Cisco ISE CLI5 and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:

test aaa group radius new-code

If this test command is successful, you should see the following attributes:

Connect port
Connect NAD IP address
Connect Policy Service node IP address
Correct server key
Recognized username or password
Connectivity between the NAD and Policy Service node

You can also use this command to help narrow the focus of the potential problem with RADIUS communication by deliberately specifying incorrect parameter values in the command line and then returning to the administrator dashboard (Operations > Authentications) to view the type and frequency of error message entries that result from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Operations > Authentications page to see what Cisco ISE is reporting.)

Note This command does not validate whether or not the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to use the new AAA model.

The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.

Verify that the switch RADIUS configuration for this device is correct and features the appropriate command(s).

For more details please go through the following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-192989

Aaron Street · ‎03-03-2014

Hi,

but this is ISE working as a proxy server, I need to test ISE working as the client, IE reciving radisu requests that are gettign proxied from other radius server.

Also in ISE 1.2 I dont see the ability to run

test aaa group radius

is get

ISE1/admin# test aaa group radius

^

% invalid command detected at '^' marker.

noc · ‎10-22-2014

Hi

Did you ever get a solution for this? I'm experiencing the exact same problem as you have detailed here. I can see the radius requests hitting the ISE box, but the ISE box isnt responding.

If you could tell me how you solved this it would be great.

Thanks a lot

Aaron Street · ‎10-22-2014

Hi,

Sorry yes, it was actually the reporting on ISE that was the issue. I had a rule set up incorrectly which meant the ISE sever was rejecting the packets.

The rule was basically saying proxy the proxed request back out, and this was happening but there was no record of it on the ISE server.

I would start right at the start, if possible with a test ISE server out of the box.

External radius server are set up as network devices with correct share passwords.

Then I have an authentication policy that says "if request from these devices then authenticate it by ....."

for me it was a basic user error, but ISE was not good at showing it :)

noc · ‎10-22-2014

Thanks for the speedy response.

I'm still struggling to find the right way to format the authentication condition.

What's the correct attribute to select and how do you point it to the proxy sequence?

Thanks again.

John

Naveen Kumar · ‎03-06-2014

ISE can acts as a RADIUS proxy server by proxying the requests from a network access device (NAD) to a RADIUS server. The RADIUS server processes the request and returns the result to Cisco ISE. Cisco ISE then sends the response to the NAD

FYI

you can use the RADIUS server sequences to proxy the requests to a RADIUS server.

The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.