cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

774
Views
0
Helpful
6
Replies
Highlighted
Beginner

ISE server not accepting RADIUS

working on a ISE migration from 2.3 to 2.7 p1   virtual environment where i did a full backup and restore to the new virtual servers...no issues reported with restore....working to test AAA on a couple switches before migrating the entire environment and have run into an issue.  the devices are in ISE and reporting under the proper NDG, TACACS+ is working.  RADIUS and TACACS+ is enabled in ISE and keys are correctly configured for the devices.  when i Configured the switch to point to the new RADIUS server IP Address, im not getting any RADIUS authentication messages to be accepted.....

 

in Live logs for the RADIUS transactions this is the error message:

11001

Received RADIUS Access-Request

11017

RADIUS created a new session

11027

Detected Host Lookup UseCase (Service-Type = Call Check (10))

15049

Evaluating Policy Group

15008

Evaluating Service Selection Policy

11019

Selected DenyAccess Service

 

anyone understand what is happening?  the Selected DenyAccess Service is an old ACS thing i get...but why isnt the server accepting RADIUS requests.

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

so I do not have a concrete definitive answer on this one as of yet, but we got it working.  We submitted a TAC case and they gathered logs and did their things and still waiting to hear back.  in order to overcome our issue, we tested authentications individually to each of the two nodes in the deployment by setting switches to point directly at it.  we built a new MAB policy and created a new protocol group for radius (as we observed during the migration it actually called it "migrated default radius protocol") and tested.  Initially we were seeing the same result of ISE just not accepting the RADIUS response, so we bounced the secondary node and tested again.  this time our test were successful and so we tested against the primary node with the same negative results.  Bounced that node as well and ISE accepted and processed RADIUS requests like it should.  

 

We validated all migrated settings against their production ISE deployment and every option was in fact checked upon the restore to the new servers.  Only thing we suspect is that something happened under the hood with those RADIUS protocol sequences.  We changed every policy set to utilize the newly created RADIUS sequence and every set worked.  The migrated default network access policy actually probably came from an old ACS to ISE migration that was performed did and was just carried along for years...somehow that piece may have been corrupting ISE.

View solution in original post

6 REPLIES 6
Highlighted
Enthusiast

  1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols.
  2. Select Default Network Access

See if host lookup is enabled or not.

 

It could be the reason why this is not working

Highlighted

HOST LOOKUP is enabled...was enabled on the previous deployment and the setting is also enabled on the new deployment

Highlighted

Then its your policy

 

Is there anything for host lookup? can you share the log file for the same.

 

It could be hitting your default policy which can be access deny

Highlighted

I am working with Brian on this one and it is odd.  If there was policy set evaluation going on you would see PIP queries.  The entirety of the step data is what Brian posted.

 

 

11001

Received RADIUS Access-Request

 

11017

RADIUS created a new session

 

11027

Detected Host Lookup UseCase (Service-Type = Call Check (10))

 

15049

Evaluating Policy Group

 

15008

Evaluating Service Selection Policy

 

11019

Selected DenyAccess Service

 

If you look at normal step data once it hands it off for policy set matching it starts querying PIPs to match policy set conditions:

 

Received RADIUS Access-Request
  11017 RADIUS created a new session
  11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - Radius.Called-Station-ID

 

In our case it is like ISE is saying "Ohh this is RADIUS, then deny service".  We checked the deployment to make sure policy service was enabled.  I am sure I am missing something obvious but this is a stumper for me.

Highlighted

Have you looked at the RADIUS output of a tcpdump to see what the NAS is sending to your PSN? Does it look ok? So the NAS would have been re-configured with the new RADIUS server IP address, as far as I can see that is the only change here.

Is there anything in the policy set that would be relating to the ISE node hostname at all?

Tried an ise application restart?

How about creating a new Policy Set and putting it right at the top and forcing the NAS to use that by NDG settings?

Does sound weird.

Highlighted
Beginner

so I do not have a concrete definitive answer on this one as of yet, but we got it working.  We submitted a TAC case and they gathered logs and did their things and still waiting to hear back.  in order to overcome our issue, we tested authentications individually to each of the two nodes in the deployment by setting switches to point directly at it.  we built a new MAB policy and created a new protocol group for radius (as we observed during the migration it actually called it "migrated default radius protocol") and tested.  Initially we were seeing the same result of ISE just not accepting the RADIUS response, so we bounced the secondary node and tested again.  this time our test were successful and so we tested against the primary node with the same negative results.  Bounced that node as well and ISE accepted and processed RADIUS requests like it should.  

 

We validated all migrated settings against their production ISE deployment and every option was in fact checked upon the restore to the new servers.  Only thing we suspect is that something happened under the hood with those RADIUS protocol sequences.  We changed every policy set to utilize the newly created RADIUS sequence and every set worked.  The migrated default network access policy actually probably came from an old ACS to ISE migration that was performed did and was just carried along for years...somehow that piece may have been corrupting ISE.

View solution in original post