07-20-2020 12:43 PM
working on a ISE migration from 2.3 to 2.7 p1 virtual environment where i did a full backup and restore to the new virtual servers...no issues reported with restore....working to test AAA on a couple switches before migrating the entire environment and have run into an issue. the devices are in ISE and reporting under the proper NDG, TACACS+ is working. RADIUS and TACACS+ is enabled in ISE and keys are correctly configured for the devices. when i Configured the switch to point to the new RADIUS server IP Address, im not getting any RADIUS authentication messages to be accepted.....
in Live logs for the RADIUS transactions this is the error message:
11001 | Received RADIUS Access-Request |
11017 | RADIUS created a new session |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) |
15049 | Evaluating Policy Group |
15008 | Evaluating Service Selection Policy |
11019 | Selected DenyAccess Service |
anyone understand what is happening? the Selected DenyAccess Service is an old ACS thing i get...but why isnt the server accepting RADIUS requests.
Thanks in advance
Solved! Go to Solution.
08-05-2020 10:52 AM
so I do not have a concrete definitive answer on this one as of yet, but we got it working. We submitted a TAC case and they gathered logs and did their things and still waiting to hear back. in order to overcome our issue, we tested authentications individually to each of the two nodes in the deployment by setting switches to point directly at it. we built a new MAB policy and created a new protocol group for radius (as we observed during the migration it actually called it "migrated default radius protocol") and tested. Initially we were seeing the same result of ISE just not accepting the RADIUS response, so we bounced the secondary node and tested again. this time our test were successful and so we tested against the primary node with the same negative results. Bounced that node as well and ISE accepted and processed RADIUS requests like it should.
We validated all migrated settings against their production ISE deployment and every option was in fact checked upon the restore to the new servers. Only thing we suspect is that something happened under the hood with those RADIUS protocol sequences. We changed every policy set to utilize the newly created RADIUS sequence and every set worked. The migrated default network access policy actually probably came from an old ACS to ISE migration that was performed did and was just carried along for years...somehow that piece may have been corrupting ISE.
07-20-2020 12:57 PM
See if host lookup is enabled or not.
It could be the reason why this is not working
07-20-2020 01:06 PM
HOST LOOKUP is enabled...was enabled on the previous deployment and the setting is also enabled on the new deployment
07-20-2020 01:48 PM - edited 07-20-2020 01:49 PM
Then its your policy
Is there anything for host lookup? can you share the log file for the same.
It could be hitting your default policy which can be access deny
07-20-2020 02:09 PM
I am working with Brian on this one and it is odd. If there was policy set evaluation going on you would see PIP queries. The entirety of the step data is what Brian posted.
|
11001 |
Received RADIUS Access-Request |
|
11017 |
RADIUS created a new session |
|
11027 |
Detected Host Lookup UseCase (Service-Type = Call Check (10)) |
|
15049 |
Evaluating Policy Group |
|
15008 |
Evaluating Service Selection Policy |
|
11019 |
Selected DenyAccess Service |
If you look at normal step data once it hands it off for policy set matching it starts querying PIPs to match policy set conditions:
Received RADIUS Access-Request | ||
11017 | RADIUS created a new session | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Radius.Called-Station-ID |
In our case it is like ISE is saying "Ohh this is RADIUS, then deny service". We checked the deployment to make sure policy service was enabled. I am sure I am missing something obvious but this is a stumper for me.
07-20-2020 04:49 PM
Have you looked at the RADIUS output of a tcpdump to see what the NAS is sending to your PSN? Does it look ok? So the NAS would have been re-configured with the new RADIUS server IP address, as far as I can see that is the only change here.
Is there anything in the policy set that would be relating to the ISE node hostname at all?
Tried an ise application restart?
How about creating a new Policy Set and putting it right at the top and forcing the NAS to use that by NDG settings?
Does sound weird.
08-05-2020 10:52 AM
so I do not have a concrete definitive answer on this one as of yet, but we got it working. We submitted a TAC case and they gathered logs and did their things and still waiting to hear back. in order to overcome our issue, we tested authentications individually to each of the two nodes in the deployment by setting switches to point directly at it. we built a new MAB policy and created a new protocol group for radius (as we observed during the migration it actually called it "migrated default radius protocol") and tested. Initially we were seeing the same result of ISE just not accepting the RADIUS response, so we bounced the secondary node and tested again. this time our test were successful and so we tested against the primary node with the same negative results. Bounced that node as well and ISE accepted and processed RADIUS requests like it should.
We validated all migrated settings against their production ISE deployment and every option was in fact checked upon the restore to the new servers. Only thing we suspect is that something happened under the hood with those RADIUS protocol sequences. We changed every policy set to utilize the newly created RADIUS sequence and every set worked. The migrated default network access policy actually probably came from an old ACS to ISE migration that was performed did and was just carried along for years...somehow that piece may have been corrupting ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide