11-24-2013 10:32 AM - edited 03-10-2019 09:07 PM
I am using a stange issue in my environment. I use ISE 1.2 fo as radius server for device management/authentication(Not NAC usage). I am having Cisco c6509E VSS as core device. The device was added to ISE and aaa auth was working fine. I changed IP address of switch during my DC migration. Since then AAA fail for thsi device. ISE report and TCPdump shows old IP. My wireshard capture(SPAN port) also showing old IP in packet header irrespective of radius source interface I use in switch. Debug (radius/aaa) output in switch showing the correct interface addres whcih I use in 'ip radius source-interface'.
Unfortunatly I am unable to restart switch as it is core device in a critical place. It looks like a stange IOS issue. Did any one faced this kind of issues? Please advise how to resolve without restart. Don't know why the switch is always using its old IP to frame radius packet.
11-25-2013 08:59 AM
Check the following:
Kind Regards,
Kevin Sheahan, CCIE # 41349 (Security)
11-26-2013 06:58 AM
These have been virified. I tried difference source interfaces and even changed MAC addresses of SVIs. I am sniffing interface of ISE appliance to capture radius packets. I wondering how C6509E switch can frame a IP packet with source address not belonging to it. MAC address belongs to the switch but source IP address not belonging to the switch(Its old IP address).
11-26-2013 07:00 AM
I cleared all all aaa/radius related configuration and reconfigured again but probelm remains.
11-26-2013 12:50 PM
Did you change the ip of the device in your ISE configuration under Administration > Network Devices?
11-30-2013 10:03 PM
What version of code are you running? Also when issue a "debug radius authentication" do you see any errors when pulling the new ip address? Also if you are using radius server groups did you change the source interface under the group configuration also?
Tarik Admani
*Please rate helpful posts*
12-03-2013 12:36 PM
Try removing and re-adding the AAA configuration to the switch, to see if that will make the RADIUS service pick the right source interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide