Solved: RADIUS over VRF

Darkmatter · ‎06-19-2020

Seems like i got something wrong, only i cannot find what's going sideways.

I can ping my ISE RADIUS servers in the default Mgmt-vrf but still, authentication requests are not reaching ISE.

Strangely enough i can ping these RADIUS servers within the default Mgmt-vrf, but when look at the "show AAA servers" believing there seems to be something not ok because of the DEAD, i have no clue what this Platform State from SMD means.

In addition, "test aaa group radius server 192.168.255.49 auth-port 1812 acct-port 1813 test-user test legacy" throws an "access reject" response on the console, from which i would conclude that all is working fine, but checking the RADIUS live logs in ISE i don't see any failed authentication.

If i test with "test aaa group radius server 192.168.255.49 auth-port 1812 acct-port 1813 test-user test new-code", it again throws an "access reject" response on the console, and now RADIUS live logs in ISE display the failed authentication!

TCP dump on ISE during the legacy test doesn't show any RADIUS packets, during new-code test, RADIUS packets are visible.

Hope someone can help me troubleshoot en eventually solve this issue.

Thanks!

Louis Gonzales · ‎06-10-2021

Not sure if you ever got your answer but in our environment I found that I needed the following command in the global configuration to get Radius over VRF to work.

ip radius source-interface GigabitEthernet0/0 vrf Mgmt-vrf

View solution in original post

Mike.Cifelli · ‎06-19-2020

You have the ability to configure per vrf AAA server groups. Make sure that whichever server group you reference in your AAA commands has the specified vrf fowarding under the server group. To me your situation sounds like you may be missing this, and your NAD is using a global config which is how you are sourcing from mgmt-vrf. Then make sure in the vrf you wish to use that you have routes back to ISE.
Brief example:
aaa group server radius ISE_Group
server name abcd1
server name abcd2
ip vrf forwarding VRF1
ip radius source-interface Loopback0
....
radius server abcd1
address ipv4 xxxx auth-port 1812 acct-port 1813
timeout 2
retransmit 1
....
radius server abcd2
address ipv4 xxxx auth-port 1812 acct-port 1813
timeout 2
retransmit 1

Good luck & HTH!

Darkmatter · ‎06-19-2020

Thanks for the suggestion but I gave multiple info that connectivity inside the VRF is fine, i read the Cisco docs on AAA per VRF, so i don't think that's the issue.

Moreover i have the exact same config you posted with the only difference that my source interface is Gi0/0 - which is a management interface on the switch and in the same VRF ofcourse - it's a Catalyst 3850

Again, "test aaa group radius server 192.168.255.49 auth-port 1812 acct-port 1813 test-user test legacy" throws an "access reject" response on the console which is the expected behaviour, from which i would conclude that all is working fine, but checking the RADIUS live logs in ISE i don't see any failed authentication.

If i test with "test aaa group radius server 192.168.255.49 auth-port 1812 acct-port 1813 test-user test new-code", it again throws an "access reject" response on the console, and now RADIUS live logs in ISE display the failed authentication!

Louis Gonzales · ‎06-10-2021

Not sure if you ever got your answer but in our environment I found that I needed the following command in the global configuration to get Radius over VRF to work.

ip radius source-interface GigabitEthernet0/0 vrf Mgmt-vrf