Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4514
Views
10
Helpful
5
Replies

Radius timing out to ISE

Go to solution
Madura Malwatte
Level 4
Level 4

‎08-27-2018 08:53 AM

I am testing RADIUS connectivity to ISE PSN and not seeing any radius packets on the ISE side. This is using the "test aaa" command. 

 

PSN shows state as UP, does this mean the switch checked whether it can connect to the PSN on the radius ports? How does it determine "UP" status?

 

You can see below, request 48 and timeouts 48. Debugs on the switch show the same thing:


*Aug 27 15:22:01.344: RADIUS(00000000): Sending a IPv4 Radius Packet
*Aug 27 15:22:01.344: RADIUS(00000000): Started 5 sec timeout
*Aug 27 15:22:06.380: RADIUS(00000000): Request timed out!
*Aug 27 15:22:06.380: RADIUS: Retransmit to (10.203.158.13:1812,1813) for id 1645/10

 

Switch#show aaa servers

RADIUS: id 1, priority 1, host 10.203.158.13, auth-port 1812, acct-port 1813
State: current UP, duration 1125s, previous duration 0s
Dead: total time 1257s, count 3
Quarantined: No
Authen: request 48, timeouts 48, failover 0, retransmission 36
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 12
Throttled: transaction 0, timeout 0, failure 0

 

I have double checked the config on switch and on ISE. Radius live logs on ISE doesn't show anything. Besides packet capture is there anything else I could check?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-27-2018 01:14 PM

If ISE LiveLogs are showing nothing then you have a more fundamental reachability issue.

 

Can you ping the ISE PSN(s) from the switch using the same IP configured as the RADIUS source IP address?

 

If ping works, is there still a firewall blocking ports 1812/1813?

 

If there is no firewall, I suggest calling TAC for deeper troubleshooting.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎08-27-2018 09:02 AM

Hi,
Have you defined the switch as a Network Access Device in ISE?
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Rob Ingram

‎08-27-2018 09:09 AM

Yes I definitely have, and enabled radius authentication settings with shared secret

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Madura Malwatte

‎08-27-2018 09:13 AM

If you run tcpdump on ISE do you see the incoming radius request from the switch?

Go to solution
paul
Level 10
Level 10

‎08-27-2018 10:33 AM

Unless you have the RADIUS on the switch configured to do proactive testing:

 

radius serve <NAME>
address ipv4 <IP> auth-port 1812 acct-port 1813
key 0 <key>
automate-tester username SW-Radius-Test ignore-acct-port idle-time 5

 

Then the only way the switch will know it is down is for active authentication sessions.  If this is a test switch, do you have active authentications happening or just trying your test command?  The RADIUS settings determine failure and dead time:

radius-server dead-criteria time 5 tries 3
radius-server deadtime 10

 

Do you have those properly configured?  You can see from "show aaa servers" that the switch did mark it dead.

 

Dead: total time 1257s, count 3

 

I am guessing you don't have your deadtime cranked up to 10 minutes like I show above.

 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-27-2018 01:14 PM

If ISE LiveLogs are showing nothing then you have a more fundamental reachability issue.

 

Can you ping the ISE PSN(s) from the switch using the same IP configured as the RADIUS source IP address?

 

If ping works, is there still a firewall blocking ports 1812/1813?

 

If there is no firewall, I suggest calling TAC for deeper troubleshooting.

0 Helpful
Customers Also Viewed These Support Documents