cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4464
Views
0
Helpful
9
Replies

ASA aaa-server to ISE

Madura Malwatte
Level 4
Level 4

I am trying to get my ASA added to ISE as a network device, but having issues with the aaa-server config and output.

 

Here is the config I have:

aaa-server ISE protocol radius
authorize-only
interim-accounting-update
merge-dacl before-avpair
dynamic-authorization

aaa-server ISE (inside) host 10.10.10.2
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa-server ISE (inside) host10.10.10.3
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****

 

ASA01# show aaa-server ISE
Server Group: ISE
Server Protocol: radius
Server Address: 10.10.10.2
Server port: 1812(authentication), 1813(accounting)
Server status: FAILED, Server disabled at 04:20:23 UTC Tue Apr 9 2019
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 39
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 39
Number of unrecognized responses 0

 

Server Group: ISE
Server Protocol: radius
Server Address:10.10.10.3
Server port: 1812(authentication), 1813(accounting)
Server status: ACTIVE, Last transaction at 04:19:42 UTC Tue Apr 9 2019
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 37
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 37
Number of unrecognized responses 0

 

Weird thing is one say active the other failed. Both seems to have failed though. And the authentication requests don't increment at all, its been stuck at that value for a while. Last transaction was over a week ago. Do I need to configure the timeout value to get the requests going again? And why would it say active but last transaction is from Apr 9 and no requests incrementing?

9 Replies 9

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Please can you share your AAA method configuration from the ASA:

sh run | inc aaa

 

cheers,

Seb.

Sure here it is:

ASA01# show run | inc aaa
aaa-server Other protocol tacacs+
aaa-server Other (management) host 10.11.1.1
aaa-server Other (management) host 10.11.1.2
aaa-server ISE protocol radius
aaa-server ISE (inside) host 10.10.10.2
aaa-server ISE (inside) host 10.10.10.3
aaa authentication ssh console Other LOCAL
aaa authentication enable console Other LOCAL
aaa authentication http console Other LOCAL
authentication aaa certificate

You are not listing the ISE server group in any of your AAA methods. 

What are you planing on using ISE for? VPN authentication?

 

cheers,

Seb.

Yes, its going to be used for VPN authentication and posture.

These documents do not mention anything about having ISE server group in AAA methods:

ASA Version 9.2.1 VPN Posture with ISE Configuration Example

How To: ISE and ASA Integration using CoA for Posture

Which document should I be using for configuring the ASA for deployment with ISE?

That's correct. That's why i asked in absence of the AAA methods what you were planning using ISE for.

 

Can you share the relevant VPN configuration that you have made?

I haven't done the VPN config yet. I was assuming that when you configure the ISE as aaa-server the ASA will start sending the radius packets to it? As I have added the ASA as network device into ISE, but can't tell if it is sending the radius packets yet? Hence the output of show aaa-servers is quite unclear. I mean I can do a packet capture on ISE, but wanted to know if we should at least see the ASA sending some requests in the show aaa-servers output.

This assumption is incorrect. What you have done is only define the AAA-server. You would need to either do a "test aaa authentication" or actually configure this aaa-server as AAA authentication server under the tunnel-group. When a VPN user authenticates, the request is then sent to the ISE. 

Hi Rahul, I meant to say radius packets as in some probes. But I understand now to do that we have to use the test aaa command. So comes back to my the show output I shared where one ISE server is marked as "FAILED" while the other is "ACTIVE", how does ASA determine these states? For the active server last transaction was April 9th. And the failed server shows "Server disabled"...

Hi @Seb Rupik were you able to take a look at what I can try to get this working?

Review Cisco Networking for a $25 gift card