Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2969
Views
0
Helpful
18
Replies

PSN not Authenticating Radius and TACACS

Go to solution
mpbaker82
Level 1
Level 1

‎10-26-2018 09:35 PM

I have a ISE distributed deployment:

1 PAN (admin, monitor, and psn) geographic location 1 (primary)

1 SAN (admin, monitor, and psn) geographic location 2 (backup to primary)

5 PSN ( psn persona only) geographic location 3-5 (the only service running on these psn's is the "enable device admin". Everything else is deselected

 

No node groups are created

 

I'm able to point any device on my network regardless of the geographic location to my primary PAN and the device authenticates using the polices i have setup (radius/tacacs). However, when i attempt to point a device to its local ISE psn node, it fails. In my Admin>System>Deployment screen, all my nodes give a status of connected. 

 

I've tried to use some logs to verify the sync, and to see if the psn's are even seeing the authentication attempt. but im not seeing no such thing. its possible im not even looking at the right log. 

 

Any ideas as to why? I'm hoping the great people on this forum can be of more assistance then the TAC support team. I can honesty say I've have three separate and individual experiences with TAC and its much less desirable.

 

Thanks :)

Michael

 

0 Helpful
18 Replies 18

Go to solution
mpbaker82
Level 1
Level 1
In response to pan

‎10-28-2018 10:15 AM

So I did your test. i did it twice.

 

(radius) Device to PAN

once to the pan to get base line of what i should be seeing. Everything worked great. i seen the data coming in on the 2 logs you pointed me to and i seen tcp dump information as warranted.

 

then again,

 

(radius) Device to Local ISE node PSN

No authentication, nothing in the logs. Its like it didnt even see the device. I also did a TCP dump on the psn node filtering for my ip host 10.x.x.x and attempted to authenticate twice and NOTHING.

 

im going to look at the comm between my psn's and the pan. Ill put in a tac ticket on Monday to see what else i can get going.

 

when i finally figure this out, ill post back with the update

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to mpbaker82

‎10-28-2018 10:22 AM

... I also did a TCP dump on the psn node filtering for my ip host 10.x.x.x and attempted to authenticate twice and NOTHING.

 

If your ip host 10.x.x.x is the PSN and nothing in TCPDUMP, then that means your network device is not making requests to the PSN at all.

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to hslai

‎10-28-2018 05:54 PM

No need to engage TAC, Looks like network blockage.

You need to make sure your network is not blocking following ports.
For RADIUS: udp 1645,1646, 1812, 1813 traffic
For TACACS: tcp 49 traffic

Check if there is any firewall blocking this traffic?
0 Helpful

Go to solution
mpbaker82
Level 1
Level 1
In response to pan

‎10-31-2018 08:04 AM

thank you to all that have contributed. As promised, the issue was a firewall filter blocking network traffic to my PAN and PSN. Once i added the route, everything started working perfectly as designed. Much appreciated Cisco Forum :) 

 

 

0 Helpful
Customers Also Viewed These Support Documents