Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2858
Views
0
Helpful
13
Replies

Cisco ISE Radius Proxy

stewartgray
Level 1
Level 1

‎09-15-2016 12:57 PM - edited ‎03-11-2019 12:04 AM

Hello, I'm trying to setup our ISE cluster so (in addition to what it already does) it can act as a radius proxy. I have read a number of guides and have:

1) Defined the external Radius server

2) Created an Radius Server Sequence

3) Defined the Radius Server Sequence in a policy (where you usually select allowed protocols).

When using a radius client to test the access, I can confirm it is matching the authentication policy that has the radius server sequence. checking the logs I can see an error stating:

Event 5405 RADIUS Request dropped
Failure Reason 11353 No more external RADIUS servers; can't perform failover

It sounds like an issue between the ISE and the radius servers defined right? I have done packet captures on the radius servers and there is no traffic from the ISE's whatsoever. They simply are not forwarding these requests. 

Am I missing something?

We are running 2.0.1.130. 2 nodes as admin, 2 as policy.

Any help or suggestions would be greatly appreciated.

Labels:
Preview file
71 KB
0 Helpful
13 Replies 13

jan.nielsen
Level 7
Level 7

‎09-15-2016 01:50 PM

Firewalls between your ISE servers and the other radius servers? Routing issues? NAT'ing?

Are you running old style ports 1645 or 1812?

0 Helpful

stewartgray
Level 1
Level 1
In response to jan.nielsen

‎09-15-2016 02:25 PM

No firewalls or NAT. ISE, Radius Proxy, and Radius Client are all in our LAN environment. Routing verified by the fact that each system can ping each other.

I tried both the old and new ports and this doesn't make any difference.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to stewartgray

‎09-15-2016 03:12 PM

Ok, Actually from looking in the log you attached it looks like ISE is actually getting a response, but it's invalid. Maybe try to use the ISE servers tcpdump function, see what ISE thinks is going on. Also double check secret keys in both ends.

0 Helpful

stewartgray
Level 1
Level 1
In response to jan.nielsen

‎09-15-2016 09:51 PM

It's not possible that ISE has received a response, certainly not from the external radius server anyway (because I have done packet captures and the external radius box receives no requests). I wasn't aware that there was tcpdump on the ISE itself so I will give this a go to see what it sees. I will let you know how I get on. Thanks

0 Helpful

stewartgray
Level 1
Level 1
In response to stewartgray

‎09-16-2016 01:28 AM

I've done that tcpdump from the ISE node and as I'd presumed, the ISE is not forwarding the radius request to the external radius server.

So the question is why is is not even attempting to forward these requests?

I have tried several radius sources to rule out the source of the first radius packet as being the problem.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to stewartgray

‎09-16-2016 08:06 AM

When you captured from ISE, did you specify the PSN as the node from which to capture?

If the PSN isn't sending the requests, I'd recommend a TAC case to have them look at your setup interactively.

I can verify that the feature of external RADIUS servers works. I have used it for several edu deployments that use the eduroam service.

0 Helpful

stewartgray
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2016 03:16 AM

I have also used the radius proxy but on earlier versions of ISE. I have raised a TAC case through our provider and are hoping they will be able to get this working for me.

0 Helpful

Backendsupport
Level 1
Level 1
In response to stewartgray

‎03-01-2017 06:26 AM

Hi Stewart - Did you ever resolve this issue? I have a similar issue, where the ISE installation matches the rule for external RADIUS sequence, but we never see the traffic towards the external RADIUS servers coming out of any of the ISE boxes.

We also see the "Failure Reason 11353 No more external RADIUS servers; can't perform failover", and we're running 2.0.1 in a 4 node setup (admin, monitor, and 2 PSN)

0 Helpful

sdoherty
Level 1
Level 1
In response to Backendsupport

‎03-01-2017 11:29 AM

This is kind of obvious but when you define radius server sequence do you select the server under *Selected

0 Helpful

Backendsupport
Level 1
Level 1
In response to sdoherty

‎03-01-2017 11:07 PM

sdoherty - I can see why you ask since it could be forgotten, but yes, this is already done.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to stewartgray

‎09-15-2016 05:34 PM

I agree with Jan.

The two RADIUS servers are talking - just not establishing a valid connection which is a prerequisite for any authentication. A packet capture should highlight the specific issue.

Have you contacted the admin of the external RADIUS server to check what they are seeing?

0 Helpful

stewartgray
Level 1
Level 1
In response to Marvin Rhoads

‎09-15-2016 09:48 PM

I'm the admin of the servers, and my initial post stated that I have already done packet captures. The only time I see traffic on the external radius server is when I run a ping - I see icmp packets straight away. Otherwise, there is no traffic from ISE - not during creation of the external radius server object or moments where it should be forwarding these. Cheers

0 Helpful

Om Om
Level 1
Level 1

‎06-06-2017 07:15 AM

I have configured ISE as radius proxy but it is not working. ISE is proxying radius request to Microsoft MFA. Attached the error. Could anybody help on this.

ISE Error

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents