I hope someone can help me out here as I am totally stumped!!!
I've recently installed ISE and have gone through the setup and started adding devices with a standard AAA Radius Configuration.
The first one I've done works perectly but any subsequent device I try to add seems to be giving me problems in that when I try to log onto them using either the local-admin account I've configured or my domain account which has also been configured via an AD External ID Source it doesn't log into the device and comes back with
% Authorisation Failed
This is despite using the exact same commands that I used on my original device that is working fine!!
Here is teh config that is applied to both the devices
aaa new-model
Username local-admin privilege 15 password password
aaa group server radius ISE_Servers
server 10.200.1.19 auth-port 1645 acct-port 1646
server 10.200.2.19 auth-port 1645 acct-port 1646
aaa authentication login default group ISE_Servers local
aaa authentication enable default group ISE_Servers enable
aaa authorization exec default group ISE_Servers local if-authenticated
aaa accounting exec default start-stop group ISE_Servers
aaa accounting send stop-record authentication failure
aaa accounting commands 0 default start-stop group ISE_Servers
aaa accounting commands 1 default start-stop group ISE_Servers
aaa accounting commands 15 default start-stop group ISE_Servers
aaa accounting connection default start-stop group ISE_Servers
radius-server host 10.200.1.19 key Th4m3-Acc355
radius-server host 10.200.2.19 key Th4m3-Acc355
I've also run radius debugging which returned the following
083260: 24w1d: RADIUS: Pick NAS IP for u=0x26FC4D4 tableid=0 cfg_addr=0.0.0.0
083261: 24w1d: RADIUS: ustruct sharecount=1
083262: 24w1d: Radius: radius_port_info() success=1 radius_nas_port=1
083263: 24w1d: RADIUS(00000000): Send Access-Request to 10.200.1.19:1645 id 1645/12, len 80
083264: 24w1d: RADIUS: authenticator 37 DE 3F 3F 39 2A 36 20 - FB 2E 43 1C 3D F3 C7 B7
083265: 24w1d: RADIUS: NAS-IP-Address [4] 6 192.168.10.248
083266: 24w1d: RADIUS: NAS-Port [5] 6 2
083267: 24w1d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
083268: 24w1d: RADIUS: User-Name [1] 11 "$$-jregan"
083269: 24w1d: RADIUS: Calling-Station-Id [31] 13 "10.200.1.19"
083270: 24w1d: RADIUS: User-Password [2] 18 *
083271: 24w1d: RADIUS: Received from id 1645/12 10.200.1.19:1645, Access-Accept, len 159
083272: 24w1d: RADIUS: authenticator E6 CA 66 80 AA E2 39 0F - FE FE 7C 3D 50 A7 17 CC
083273: 24w1d: RADIUS: User-Name [1] 11 "$$-jregan"
083274: 24w1d: RADIUS: State [24] 40
083275: 24w1d: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
083276: 24w1d: RADIUS: 63 38 30 31 31 33 30 30 30 30 30 30 39 30 35 31 [c801130000009051]
083277: 24w1d: RADIUS: 37 39 34 32 45 33 [7942E3]
083278: 24w1d: RADIUS: Class [25] 57
083279: 24w1d: RADIUS: 43 41 43 53 3A 30 61 63 38 30 31 31 33 30 30 30 [CACS:0ac80113000]
083280: 24w1d: RADIUS: 30 30 30 39 30 35 31 37 39 34 32 45 33 3A 54 4D [00090517942E3:TM]
083281: 24w1d: RADIUS: 2D 56 4D 2D 49 53 45 30 31 2F 31 35 32 31 30 37 [-VM-ISE01/152107]
083282: 24w1d: RADIUS: 35 36 33 2F 36 37 39 [563/679]
083283: 24w1d: RADIUS: Termination-Action [29] 6 1
083284: 24w1d: RADIUS: Vendor, Cisco [26] 25
083285: 24w1d: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
083286: 24w1d: RADIUS: saved authorization data for user 26FC4D4 at 2703008
083287: 24w1d: RADIUS: cisco AVPair "shell:priv-lvl=15"
083288: 24w1d: RADIUS: no appropriate authorization type for user.
008420: 19w4d: RADIUS(00000238): Config NAS IP: 0.0.0.0
008421: 19w4d: RADIUS/ENCODE(00000238): acct_session_id: 55
008422: 19w4d: RADIUS(00000238): sending
008423: 19w4d: RADIUS/ENCODE: Best Local IP-Address 192.168.10.7 for Radius-Server 10.200.1.19
008424: 19w4d: RADIUS(00000238): Send Access-Request to 10.200.1.19:1645 id 1645/79, len 127
008425: 19w4d: RADIUS: authenticator C0 41 17 99 51 1E DE 63 - 7B BB 8F 26 23 A3 A0 C5
008426: 19w4d: RADIUS: User-Name [1] 11 "$$-jregan"
008427: 19w4d: RADIUS: User-Password [2] 18 *
008428: 19w4d: RADIUS: NAS-Port [5] 6 1
008429: 19w4d: RADIUS: NAS-Port-Id [87] 6 "tty1"
008430: 19w4d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
008431: 19w4d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.51"
008432: 19w4d: RADIUS: State [24] 40
008433: 19w4d: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
008434: 19w4d: RADIUS: 63 38 30 31 31 33 30 30 30 30 30 30 38 43 35 31 [c801130000008C51]
008435: 19w4d: RADIUS: 37 39 33 46 32 33 [ 793F23]
008436: 19w4d: RADIUS: NAS-IP-Address [4] 6 192.168.10.7
008437: 19w4d: RADIUS: Received from id 1645/79 10.200.1.19:1645, Access-Accept, len 159
008438: 19w4d: RADIUS: authenticator 7D 10 74 E1 96 86 9C FD - 4D C5 E7 5D 54 2B 18 A9
008439: 19w4d: RADIUS: User-Name [1] 11 "$$-jregan"
008440: 19w4d: RADIUS: State [24] 40
008441: 19w4d: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
008442: 19w4d: RADIUS: 63 38 30 31 31 33 30 30 30 30 30 30 38 43 35 31 [c801130000008C51]
008443: 19w4d: RADIUS: 37 39 33 46 32 33 [ 793F23]
008444: 19w4d: RADIUS: Class [25] 57
008445: 19w4d: RADIUS: 43 41 43 53 3A 30 61 63 38 30 31 31 33 30 30 30 [CACS:0ac80113000]
008446: 19w4d: RADIUS: 30 30 30 38 43 35 31 37 39 33 46 32 33 3A 54 4D [0008C51793F23:TM]
008447: 19w4d: RADIUS: 2D 56 4D 2D 49 53 45 30 31 2F 31 35 32 31 30 37 [-VM-ISE01/152107]
008448: 19w4d: RADIUS: 35 36 33 2F 36 37 36 [ 563/676]
008449: 19w4d: RADIUS: Termination-Action [29] 6 1
008450: 19w4d: RADIUS: Vendor, Cisco [26] 25
008451: 19w4d: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
008452: 19w4d: RADIUS(00000238): Received from id 1645/79
TbS6966#
the debug output for the working device is as follows
008420: 19w4d: RADIUS(00000238): Config NAS IP: 0.0.0.0
008421: 19w4d: RADIUS/ENCODE(00000238): acct_session_id: 55
008422: 19w4d: RADIUS(00000238): sending
008423: 19w4d: RADIUS/ENCODE: Best Local IP-Address 192.168.10.7 for Radius-Server 10.200.1.19
008424: 19w4d: RADIUS(00000238): Send Access-Request to 10.200.1.19:1645 id 1645/79, len 127
008425: 19w4d: RADIUS: authenticator C0 41 17 99 51 1E DE 63 - 7B BB 8F 26 23 A3 A0 C5
008426: 19w4d: RADIUS: User-Name [1] 11 "$$-jregan"
008427: 19w4d: RADIUS: User-Password [2] 18 *
008428: 19w4d: RADIUS: NAS-Port [5] 6 1
008429: 19w4d: RADIUS: NAS-Port-Id [87] 6 "tty1"
008430: 19w4d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
008431: 19w4d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.51"
008432: 19w4d: RADIUS: State [24] 40
008433: 19w4d: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
008434: 19w4d: RADIUS: 63 38 30 31 31 33 30 30 30 30 30 30 38 43 35 31 [c801130000008C51]
008435: 19w4d: RADIUS: 37 39 33 46 32 33 [ 793F23]
008436: 19w4d: RADIUS: NAS-IP-Address [4] 6 192.168.10.7
008437: 19w4d: RADIUS: Received from id 1645/79 10.200.1.19:1645, Access-Accept, len 159
008438: 19w4d: RADIUS: authenticator 7D 10 74 E1 96 86 9C FD - 4D C5 E7 5D 54 2B 18 A9
008439: 19w4d: RADIUS: User-Name [1] 11 "$$-jregan"
008440: 19w4d: RADIUS: State [24] 40
008441: 19w4d: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
008442: 19w4d: RADIUS: 63 38 30 31 31 33 30 30 30 30 30 30 38 43 35 31 [c801130000008C51]
008443: 19w4d: RADIUS: 37 39 33 46 32 33 [ 793F23]
008444: 19w4d: RADIUS: Class [25] 57
008445: 19w4d: RADIUS: 43 41 43 53 3A 30 61 63 38 30 31 31 33 30 30 30 [CACS:0ac80113000]
008446: 19w4d: RADIUS: 30 30 30 38 43 35 31 37 39 33 46 32 33 3A 54 4D [0008C51793F23:TM]
008447: 19w4d: RADIUS: 2D 56 4D 2D 49 53 45 30 31 2F 31 35 32 31 30 37 [-VM-ISE01/152107]
008448: 19w4d: RADIUS: 35 36 33 2F 36 37 36 [ 563/676]
008449: 19w4d: RADIUS: Termination-Action [29] 6 1
008450: 19w4d: RADIUS: Vendor, Cisco [26] 25
008451: 19w4d: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
008452: 19w4d: RADIUS(00000238): Received from id 1645/79
If anyone has experienced this before or know of a document that can assist I would be eternally grateful
Thanks
