cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3103
Views
10
Helpful
6
Replies

ISE acting as Radius Proxy Client?

Aaron Street
Level 1
Level 1

Hi,

I have an issue where a remote company has there internal redius server and I have my ISE radius server.

When there users come to my site, they can authenticate with my wireless and my ISE server proxies the request to there home site to be authenticated and tells me if I should allow them access or not.

So standard radius proxy and it all works well when my ISE server begins the exchange.

However if my staff go to there site the reverse is not working, they are proxying the requests back OK, and I can see on the firewall and router the incomming radius packets destined to my ISE server. But there is no recourd on the ISE server of ever reciving them and it all times out.

Is tehre some thing I need to do to allow ISE to act as the client in a radius proxy set up?

Cheers.

Oh I am running version 1.2

6 Replies 6

Muhammad Munir
Level 5
Level 5

Hi Aaron,

Check the Cisco ISE dashboard (Operations > Authentications) for any indication regarding the nature of RADIUS communication loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.)

Log into the Cisco ISE CLI5 and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:

test aaa group radius new-code

If this test command is successful, you should see the following attributes:

  • Connect      port
  • Connect NAD      IP address
  • Connect      Policy Service node IP address
  • Correct      server key
  • Recognized      username or password
  • Connectivity      between the NAD and Policy Service node

You can also use this command to help narrow the focus of the potential problem with RADIUS communication by deliberately specifying incorrect parameter values in the command line and then returning to the administrator dashboard (Operations > Authentications) to view the type and frequency of error message entries that result from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Operations > Authentications page to see what Cisco ISE is reporting.)

Note This command does not validate whether or not the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to use the new AAA model.

The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.

Verify that the switch RADIUS configuration for this device is correct and features the appropriate command(s).

For more details please go through the following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-192989

Hi,

but this is ISE working as a proxy server, I need to test ISE working as the client, IE reciving radisu requests that are gettign proxied from other radius server.

Also in ISE 1.2 I dont see the ability to run

test aaa group radius

is get

ISE1/admin# test aaa group radius

                ^

% invalid command detected at '^' marker.


Hi

 

Did you ever get a solution for this? I'm experiencing the exact same problem as you have detailed here. I can see the radius requests hitting the ISE box, but the ISE box isnt responding.

If you could tell me how you solved this it would be great.

 

Thanks a lot

 

 

 

Hi, 

 

Sorry yes, it was actually the reporting on ISE that was the issue. I had a rule set up incorrectly which meant the ISE sever was rejecting the packets. 

The rule was basically saying proxy the proxed request back out, and this was happening but there was no record of it on the ISE server. 

I would start right at the start, if possible with a test ISE server out of the box. 

 

External radius server are set up as network devices with correct share passwords. 

Then I have an authentication policy that says "if request from these devices then authenticate it by ....." 

 

for me it was a basic user error, but ISE was not good at showing it :) 

Thanks for the speedy response.

 

I'm still struggling to find the right way to format the  authentication condition.

 

What's the correct attribute to select and how do you point it to the proxy sequence? 

 

Thanks again.

 

John

 

 

Naveen Kumar
Level 4
Level 4

ISE can acts as a RADIUS proxy server by proxying the requests from a network  access  device (NAD) to a RADIUS server. The RADIUS server processes the request  and  returns the result to Cisco ISE. Cisco ISE then sends the response to the   NAD

FYI

you can use the RADIUS server sequences to proxy the requests to a  RADIUS  server.

The RADIUS server sequence strips the domain name from the  RADIUS-Username  attribute for RADIUS authentications. This domain stripping is  not applicable  for EAP authentications, which use the EAP-Identity attribute.  The RADIUS proxy  server obtains the username from the RADIUS-Username attribute  and strips it  from the character that you specify when you configure the RADIUS  server  sequence. For EAP authentications, the RADIUS proxy server obtains the  username  from the EAP-Identity attribute. EAP authentications that use the  RADIUS server  sequence will succeed only if the EAP-Identity and RADIUS-Username  values are  the same.