Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
4
Replies

ISE Radius Access-Request will not be challenged

alex.f.
Level 1
Level 1

‎06-27-2024 12:45 AM

 

Hi there,
I have encountered the following problem.
ISE small network deployment with two VMs each Pri/Sec (PAN,MnT,PSN) on Proxmox virtualisation.
Authenticators are Meraki Wired/Wireless configured with the Dashboard.
A test for a radius access request sent from the Meraki Dashboard (Switching - Access Policies) to both ISE PSN gets a response from ISE02 (Pri) but not from ISE01 (Sec).
The same test for a Radius Access request sent from the Meraki Dashboard (Wireless - Access Policies) to both ISE PSN is getting a response from both PSN (Pri/Sec).
There is no firewall or routing in place and both ISE nodes are reachable via ping.
A pcap on the Core SW shows that the EAP packets are being sent to the VMs.
A pcap on the Proxmox VMs interface shows that the EAP packet for the radius access request is reaching the dedicated node, but it is not being answered when sent from the switching access policy.

Preview file
208 KB
Preview file
184 KB
Preview file
220 KB
0 Helpful
4 Replies 4

thomas
Cisco Employee
Cisco Employee

‎06-27-2024 08:00 AM

If certain RADIUS requests work (wireless) and others do not (wired) to your secondary PSN, are you seeing any Access-Rejects in the ISE LiveLogs from the switching requests to the 2nd node? If so, what is the reason?

Turn off all RADIUS Suppression to ensure you are seeing all RADIUS Failed attempts:

image.png

0 Helpful

Arne Bier
VIP
VIP

‎06-27-2024 02:06 PM

@alex.f. - are you able to issue a ping from the Switch Dashboard "Tools tab" (ping from .13 to .122) ?

If ping succeeds, then the next thing I would check is whether the Switch (.13 address) is defined in ISE 

0 Helpful

alex.f.
Level 1
Level 1
In response to Arne Bier

‎07-09-2024 07:57 AM - edited ‎07-09-2024 07:58 AM

Yes, ping from the Meraki Dashboard is done successfully and the Switches are Network Devices in ISE.

But all Switches in one Network Devices Object. 

Bildschirmfoto 2024-07-09 um 16.56.09.png

0 Helpful

Arne Bier
VIP
VIP

‎07-09-2024 09:23 PM

Have you tried performing a manual sync up of ISE01?  We have to rely on every node getting the same programming from the PAN - I have seen it once where I was configuring in the GUI, but one of the PSN's wasn't getting the changes I was making - I had to manually sync the node.

If that doesn't work, then it would check your ISE RADIUS Policy Set - are the hit counters increasing?  If not, then the Meraki is possibly not sending the request to that ISE - you can prove that ultimately by running a tcpdump on ISE01 while running that test from Meraki switch.

0 Helpful
Customers Also Viewed These Support Documents