Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1190
Views
0
Helpful
6
Replies

ISE - IOS bug!

sudheere
Level 1
Level 1

‎11-24-2013 10:32 AM - edited ‎03-10-2019 09:07 PM

I am using a stange issue in my environment. I use ISE 1.2 fo as radius server for device management/authentication(Not NAC usage). I am having Cisco c6509E VSS as core device. The device was added to ISE and aaa auth was working fine. I changed IP address of switch during my DC migration. Since then AAA fail for thsi device. ISE report and TCPdump shows old IP. My wireshard capture(SPAN port) also showing old IP in packet header irrespective of radius source interface I use in switch. Debug (radius/aaa) output in switch showing the correct interface addres whcih I  use in 'ip radius source-interface'.

Unfortunatly I am unable to restart switch as it is core device in a critical place. It looks like a stange IOS issue. Did any one faced this kind of issues? Please advise how to resolve without restart. Don't know why the switch is always using its old IP to frame radius packet.

Labels:
0 Helpful
6 Replies 6

Kevin P Sheahan
Level 5
Level 5

‎11-25-2013 08:59 AM

Check the following:

  • Radius source interface on the 6k matches ISE NAD IP for 6k
  • ISE NAD IP was changed when IP on 6k changed
  • Route/Connectivity to/from ISE/6k.

Kind Regards,

Kevin Sheahan, CCIE # 41349 (Security)

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful

sudheere
Level 1
Level 1
In response to Kevin P Sheahan

‎11-26-2013 06:58 AM

These have been virified. I tried difference source interfaces and even changed  MAC addresses of SVIs. I am sniffing interface of ISE appliance to capture radius packets. I wondering how C6509E switch can frame a IP packet with source address not belonging to it. MAC address belongs to the switch but source IP address not belonging to the switch(Its old IP address).

0 Helpful

sudheere
Level 1
Level 1
In response to sudheere

‎11-26-2013 07:00 AM

I cleared all all aaa/radius related configuration and reconfigured again but probelm remains.

0 Helpful

xxkozxx
Level 1
Level 1
In response to sudheere

‎11-26-2013 12:50 PM

Did you change the ip of the device in your ISE configuration under Administration > Network Devices?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to xxkozxx

‎11-30-2013 10:03 PM

What version of code are you running? Also when issue a "debug radius authentication" do you see any errors when pulling the new ip address? Also if you are using radius server groups did you change the source interface under the group configuration also?

Tarik Admani
*Please rate helpful posts*

0 Helpful

Javier Henderson
Level 4
Level 4

‎12-03-2013 12:36 PM

Try removing and re-adding the AAA configuration to the switch, to see if that will make the RADIUS service pick the right source interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents