03-17-2024 03:19 AM - edited 03-18-2024 01:55 AM
Hello, I'm trying to configure the switch so the ISE can trust the switch. here's the topology. [ISE IP: 172.16.10.25]
I'm using this config in the switch:
aaa new-model
radius server ISE1
address ipv4 172.16.10.25 auth-port 1645 acct-port 1646
key 0 cisco
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update newinfo periodic 600
aaa accounting dot1x default start-stop group radius
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server retry method reorder
radius-server timeout 3
radius-server deadtime 15
aaa group server radius ISE-GROUP
server name ISE1
aaa server radius dynamic-author
client 172.16.10.25 server-key cisco
interface GigabitEthernet0/0
switchport mode access
switchport access vlan10
ip device tracking maximum 10
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
but there's no radius live logs in ISE? anyone can tell me whats wrong with it and what should change in switch config?
03-17-2024 03:31 AM
Can I ask you something not relate to your issue but face it in my lab,
you use FTD and Win, can you access FTD FDM via Win ? what is Win you use Win7 or Win10?
can you share link to download Win10 if you use it?
and for your Q
debug radius <<- in SW check if SW is send radius request to ISE
MHM
03-17-2024 03:42 AM - edited 03-17-2024 03:48 AM
in this lab, I access ftd via fmc with win and im using win10 so i don't use FDM. But i do have experience in field, that i need to make FTD on routed mode. atleast thats what my co-worker told me. (I don't know if transparent mode also can work).
I would like to share the link, but unfortunatly i'm using my office virtual lab. so i don't know where to download it, they didnt told me, and i dont have the access to copy the images as well via winscp (T_T)
um..is there anything wrong with it? im really new on this.
.
03-17-2024 03:49 AM
no debug radius
debug dot1x all <<- use this instead
MHM
03-17-2024 04:13 AM
regarding the FTD and Win, can you check if you use FTD 7.x.x or 6.x.x?
thanks alot
MHM
03-17-2024 11:39 PM
7.2
03-18-2024 02:30 AM
thanks alot
regarding the issue of ISE
show aaa servers
debug dot1x all <<- this not share
MHM
03-18-2024 12:41 AM
what switch that configuration you provided Switch5 - high level i see only switchport access (i do not see any access vlan - is that intention ?)
check below guide for ISE Wire deployment. -
03-18-2024 03:24 AM
Hello @balaji.bandi , I really thank you for the documantation you gave. But i have problem where in AD group section there's nothing in it when i'm choosing 'Select Groups from directory'. perhaps you know something?
03-18-2024 04:12 AM
@kentwirianata your ISE node ISETEST is not joined to the domain isedemo.lab, so therefore there will not be any groups for you to import.
Select the box next to ISETEST, then click Join. You then need to enter your AD credentials to join ISE to the domain, the account you use must have the correct permissions to add the ISE node to the domain - use the administrator account as it's a lab.
Once joined you can then import the AD groups.
03-19-2024 01:08 AM
You need to join ISE to AD - check in the document how to join ISE to AD before you get AD Groups in ISE
03-18-2024 01:53 AM
oh sorry, forgot to write it, but i do config switchport access vlan 10
03-18-2024 02:27 AM
@kentwirianata if no live logs in ISE this could be the switch is not defined in ISE as a Network Device or the source of the RADIUS request comes from a different IP address from what is defined in ISE or incorrect shared secret.
Is the switch defined as a Network Device in ISE with the correct IP address?
If the switch has multiple IP addresses have you defined the RADIUS source interface? use the command "ip radius source-interface <Iinterface>". < the IP address of that interface would be configured in ISE under the Network Device for that switch.
Check your shared secret matches on the switch and ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide