cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

507
Views
0
Helpful
2
Replies
Beginner

Cisco ISE rected network device

Hello

I hope somebody can help.

We use Cisco ISE 2.1.

Normally new newtwork devices are simple created (IP, Name, Shared Secret, Group) and it works.

But our new Citrix Netscaler makes some problems.

The netscaler does not send any requests to ISE.

The netscaler hat a function called test, in a packet tracer I can see that ISE sends a reject back.

But citrix netscaler says sucessfully.

Is this normal that ISE sends a recect back in test szenario whout any username?

If the netscaler sends a request with username, ISE does not get any packet. Citrix says radius server does not support authentication functionality.

Can anybody help?

 

Many thanks and greetings

Marco

2 REPLIES 2
VIP Advocate

Re: Cisco ISE rected network device

Hi

 

The best thing to do here is to go to your ISE PAN node and perform a TCPDump and then share it with this forum. A packet capture says a thousand words!!!  Be sure to perform the TCPDump on the PSN node that the Netscaler is talking to, and taking care of which interface on the PSN (if if have enable more than one interface)

Operations > Troubleshoot > Diagnostic Tools > TCP Dump

By default ISE will send an Access-Reject if the authentication didn't succeed.  This is just a setting and it makes logical sense.  There are cases where you want to send an Access-Accept in the case of a failed authentication (e.g. MAC auth for Guest WebAuth).  But I don't know what your use case it. 

ISE is probably sending back Access-Reject because the radius request was malformed.  i.e. it didn't contain a User-Name attribute (if I understand your problem?)   I am a bit confused by your description.

Are you trying to implement a health monitor (health check) for the Netscaler?  What does the Access-Request from the Netscaler look like (please send us a wireshark of the conversation)

ISE needs to have the Netscaler configured as a NAD and of course Source IP of the Netscaler has to match (not the NAS-IP Address!!! The Netscaler's UDP packets' Source IP address !!!) - then of course usual stuff like shared secret have to match between Netscaler and ISE.

If it's a PAP authentication then make sure PAP is allowed protocol.

And then it's a matter of building an auth policy to validate the User-Name and Password from internal users perhaps?

And then create an Authorization Policy to send either Access-Accept or Access-Reject based on the AuthN that just passed.  All depends on what Netscaler expects as its preferred result.

 

Highlighted
Beginner

Re: Cisco ISE rected network device

A trace was very helpful.

Within the package it was seen that a not defined username was used. The username is fix in the test szenario an can not be changed (not really useful).

In the ISE log this was not visible because of too many request.

´Can I filter the ISE log field Network Device by IP Address?

In our case I can only filter by device name like H_SWITCH.