04-21-2020 02:38 AM
Hello Everyone
I have at home for learning purpose an ISE installation together + a Cisco Catalyst 2960-x.
I did not work on these devices for the past few days... so I didnt changed anything.
Today I started the LAB again, and when I wanted to connect through SSH to my switch I get an access denied message.
ISE
The Access-Request for the requested RADIUS is missing
On the switch I see
login as: alice Keyboard-interactive authentication prompts from server: | Password: End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: | Password:
The RADIUS debug shows a time out to my ISE Node
Jan 5 21:57:44.979: RADIUS/ENCODE(0000000E): ask "Password: " Jan 5 21:57:44.979: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD Jan 5 21:57:47.416: RADIUS/ENCODE(0000000E):Orig. component type = Exec Jan 5 21:57:47.416: RADIUS/ENCODE(0000000E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off Jan 5 21:57:47.416: RADIUS(0000000E): Config NAS IP: 0.0.0.0 Jan 5 21:57:47.416: RADIUS(0000000E): Config NAS IPv6: :: Jan 5 21:57:47.416: RADIUS/ENCODE(0000000E): acct_session_id: 4 Jan 5 21:57:47.416: RADIUS(0000000E): sending Jan 5 21:57:47.416: RADIUS/ENCODE: Best Local IP-Address 192.168.1.2 for Radius-Server 192.168.1.207 Jan 5 21:57:47.416: RADIUS(0000000E): Send Access-Request to 192.168.1.207:1812 onvrf(0) id 1645/2, len 69 Jan 5 21:57:47.416: RADIUS: authenticator EF EE 82 6B 18 96 85 33 - 36 A0 83 3A B6 43 08 81 Jan 5 21:57:47.416: RADIUS: User-Name [1] 7 "alice" Jan 5 21:57:47.416: RADIUS: User-Password [2] 18 * Jan 5 21:57:47.416: RADIUS: NAS-Port [5] 6 1 Jan 5 21:57:47.416: RADIUS: NAS-Port-Id [87] 6 "tty1" Jan 5 21:57:47.416: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Jan 5 21:57:47.416: RADIUS: NAS-IP-Address [4] 6 192.168.1.2 Jan 5 21:57:47.416: RADIUS(0000000E): Sending a IPv4 Radius Packet Jan 5 21:57:47.419: RADIUS(0000000E): Started 5 sec timeout Jan 5 21:57:52.459: RADIUS(0000000E): Request timed out! Jan 5 21:57:52.459: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2 Jan 5 21:57:52.459: RADIUS(0000000E): Started 5 sec timeout Jan 5 21:57:57.492: RADIUS(0000000E): Request timed out! Jan 5 21:57:57.492: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2 Jan 5 21:57:57.492: RADIUS(0000000E): Started 5 sec timeout Jan 5 21:58:02.526: RADIUS(0000000E): Request timed out! Jan 5 21:58:02.526: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2 Jan 5 21:58:02.526: RADIUS(0000000E): Started 5 sec timeout Jan 5 21:58:07.555: RADIUS(0000000E): Request timed out! Jan 5 21:58:07.555: RADIUS: No response from (192.168.1.207:1812,1813) for id 1645/2 Jan 5 21:58:07.555: RADIUS/DECODE: No response from radius-server; parse response; FAIL Jan 5 21:58:07.555: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL Jan 5 21:58:09.558: RADIUS/ENCODE(0000000E): ask "Password: " Jan 5 21:58:09.558: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD
Ping is working fine.
I dont know if normally port 18212, 1813, 1645 and 1646 will be open if I connect through telnet
Switch#ping 192.168.1.207 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.207, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms Switch# Switch#telnet 192.168.1.207 1812 Trying 192.168.1.207, 1812 ... % Connection timed out; remote host not responding Switch# Switch# Switch#telnet 192.168.1.207 1813 Trying 192.168.1.207, 1813 ... % Connection timed out; remote host not responding Switch#telnet 192.168.1.207 1645 Trying 192.168.1.207, 1645 ... % Connection timed out; remote host not responding Switch#telnet 192.168.1.207 1646 Trying 192.168.1.207, 1646 ...
The only thing I can see on the ISE is the error/warning message attached.
Ive already reload the switch and the ISE it self. no changes.
Does anyone has an IDEA why this is happen?
Thanks in advance for your help,
Regards,
Max
Solved! Go to Solution.
04-23-2020 02:58 AM
04-21-2020 10:19 PM
RADIUS is UDP so you will not get any response with telnet on the ports. I suggest using 'test aaa ...' command to validate RADIUS configuration. Also suggest sharing aaa configuration and ISE live log details.
04-23-2020 02:58 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide