Solved: Re: ISE server not accepting RADIUS

brirodg76 · ‎07-20-2020

working on a ISE migration from 2.3 to 2.7 p1 virtual environment where i did a full backup and restore to the new virtual servers...no issues reported with restore....working to test AAA on a couple switches before migrating the entire environment and have run into an issue. the devices are in ISE and reporting under the proper NDG, TACACS+ is working. RADIUS and TACACS+ is enabled in ISE and keys are correctly configured for the devices. when i Configured the switch to point to the new RADIUS server IP Address, im not getting any RADIUS authentication messages to be accepted.....

in Live logs for the RADIUS transactions this is the error message:

11001	Received RADIUS Access-Request
11017	RADIUS created a new session
11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049	Evaluating Policy Group
15008	Evaluating Service Selection Policy
11019	Selected DenyAccess Service

anyone understand what is happening? the Selected DenyAccess Service is an old ACS thing i get...but why isnt the server accepting RADIUS requests.

Thanks in advance

brirodg76 · ‎08-05-2020

so I do not have a concrete definitive answer on this one as of yet, but we got it working. We submitted a TAC case and they gathered logs and did their things and still waiting to hear back. in order to overcome our issue, we tested authentications individually to each of the two nodes in the deployment by setting switches to point directly at it. we built a new MAB policy and created a new protocol group for radius (as we observed during the migration it actually called it "migrated default radius protocol") and tested. Initially we were seeing the same result of ISE just not accepting the RADIUS response, so we bounced the secondary node and tested again. this time our test were successful and so we tested against the primary node with the same negative results. Bounced that node as well and ISE accepted and processed RADIUS requests like it should.

We validated all migrated settings against their production ISE deployment and every option was in fact checked upon the restore to the new servers. Only thing we suspect is that something happened under the hood with those RADIUS protocol sequences. We changed every policy set to utilize the newly created RADIUS sequence and every set worked. The migrated default network access policy actually probably came from an old ACS to ISE migration that was performed did and was just carried along for years...somehow that piece may have been corrupting ISE.

View solution in original post

saxenanitesh8522 · ‎07-20-2020

Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access

See if host lookup is enabled or not.

It could be the reason why this is not working

brirodg76 · ‎07-20-2020

HOST LOOKUP is enabled...was enabled on the previous deployment and the setting is also enabled on the new deployment

saxenanitesh8522 · ‎07-20-2020

Then its your policy

Is there anything for host lookup? can you share the log file for the same.

It could be hitting your default policy which can be access deny

paul · ‎07-20-2020

I am working with Brian on this one and it is odd. If there was policy set evaluation going on you would see PIP queries. The entirety of the step data is what Brian posted.

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	11019	Selected DenyAccess Service

If you look at normal step data once it hands it off for policy set matching it starts querying PIPs to match policy set conditions:

Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Radius.Called-Station-ID

In our case it is like ISE is saying "Ohh this is RADIUS, then deny service". We checked the deployment to make sure policy service was enabled. I am sure I am missing something obvious but this is a stumper for me.

Arne Bier · ‎07-20-2020

Have you looked at the RADIUS output of a tcpdump to see what the NAS is sending to your PSN? Does it look ok? So the NAS would have been re-configured with the new RADIUS server IP address, as far as I can see that is the only change here.

Is there anything in the policy set that would be relating to the ISE node hostname at all?

Tried an ise application restart?

How about creating a new Policy Set and putting it right at the top and forcing the NAS to use that by NDG settings?

Does sound weird.

brirodg76 · ‎08-05-2020

so I do not have a concrete definitive answer on this one as of yet, but we got it working. We submitted a TAC case and they gathered logs and did their things and still waiting to hear back. in order to overcome our issue, we tested authentications individually to each of the two nodes in the deployment by setting switches to point directly at it. we built a new MAB policy and created a new protocol group for radius (as we observed during the migration it actually called it "migrated default radius protocol") and tested. Initially we were seeing the same result of ISE just not accepting the RADIUS response, so we bounced the secondary node and tested again. this time our test were successful and so we tested against the primary node with the same negative results. Bounced that node as well and ISE accepted and processed RADIUS requests like it should.

We validated all migrated settings against their production ISE deployment and every option was in fact checked upon the restore to the new servers. Only thing we suspect is that something happened under the hood with those RADIUS protocol sequences. We changed every policy set to utilize the newly created RADIUS sequence and every set worked. The migrated default network access policy actually probably came from an old ACS to ISE migration that was performed did and was just carried along for years...somehow that piece may have been corrupting ISE.