Solved: Authenticate my switch using ISE server

schadracpierre · ‎09-19-2023

Hello everyone,

I am trying to configure my switch so everyone who has an account on my AD can log in using ISE authentification server. I use DMVPN to my spokes with the Hub. All my spoke routers and hub devices are well configured and can use my ISE to log except my switches behind my spokes routers. Here is the configuration in one switch:

SPOKE-3-CORE#sh run
Building configuration...

Current configuration : 3139 bytes
!
! Last configuration change at 13:58:14 UTC Tue Sep 19 2023 by test
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SPOKE-3-CORE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$f7H2$UCn.F1lPhqTRgQeH8wJts.
!
username test privilege 15 secret 5 $1$P1pM$xKL/W5qLN.ZWbtOqFZsCC1
aaa new-model
!
!
aaa group server radius ISE
server 10.10.10.12
ip radius source-interface Loopback10
!
aaa authentication login default local group ISE
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization exec default local group ISE
aaa authorization network default group ISE
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE
aaa accounting exec default start-stop group ISE
!
aaa server radius dynamic-author
client 10.10.10.12 server-key C!sc0
!
aaa session-id common
!
ip dhcp excluded-address 10.10.13.9 10.10.13.12
ip dhcp excluded-address 10.10.13.17 10.10.13.20
ip dhcp excluded-address 10.10.13.25 10.10.13.28
!
ip dhcp pool DATA
network 10.10.13.8 255.255.255.248
default-router 10.10.13.9
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.9
lease 0 8
!
ip dhcp pool VoIP
network 10.10.13.16 255.255.255.248
default-router 10.10.13.17
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.17
lease 0 8
!
ip dhcp pool IT
network 10.10.13.24 255.255.255.248
default-router 10.10.13.25
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.25
lease 0 8
!
!
no ip domain-lookup
ip domain-name techplus.edu.org
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface Loopback10
ip address 10.3.255.9 255.255.255.255
!
interface Ethernet0/0
description "Interface towards the router"
no switchport
ip address 10.10.13.2 255.255.255.252
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
!
interface Ethernet0/3
switchport access vlan 30
switchport mode access
!
interface Vlan10
ip address 10.10.13.9 255.255.255.248
!
interface Vlan20
ip address 10.10.13.17 255.255.255.248
!
interface Vlan30
ip address 10.10.13.25 255.255.255.248
!
!
router eigrp 10
network 10.0.0.0 255.255.0.0
network 192.168.1.0 255.255.255.0
!
ip forward-protocol nd
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 10.10.13.1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
ip radius source-interface Loopback10
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
!
radius server ISE
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
key C!sc0
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
monitor session 1 source interface Et0/0
!
!
end

Please provide any thoughts you think might help.

TIA

schadracpierre · ‎10-05-2023

I found the error and fixed it. the issue was the bandwidth on the tunnel.

Changed the source

interface to ethernet 0/0

and under the tunnel interface, I changed the bandwidth to 85k

interface tunnel 10
bandwidth 85000

View solution in original post

Richard Burts · ‎09-20-2023

Here are some things that might help identify the issue:

- can you confirm IP connectivity to the address of the ISE server using the address of the loopback interface as the source?

- can you confirm that the ISE server does have a correct configuration for this client (using the loopback address)?

- when you attempt access on the switch are any log messages generated on the ISE server? If so what are they?

- you might try reversing the order in this

aaa authentication login default local group ISE

so that local is the later alternative.

- if all else fails run debug for authentication and post the output.

HTH

Rick

schadracpierre · ‎09-20-2023

Hello Richard,

Thanks for replying to me! Please see the response to your questions above.

- can you confirm IP connectivity to the address of the ISE server using the address of the loopback interface as the source?

R- Yes.

SPOKE-3-CORE#ping 10.10.10.12 source loopback 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.12, timeout is 2 seconds:
Packet sent with a source address of 10.3.255.9
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms
SPOKE-3-CORE#

- can you confirm that the ISE server does have a correct configuration for this client (using the loopback address)?

R- Yes. I configured it with the loopback address IP but my routers I used my turnel IP and all of them work just fine.

- when you attempt access on the switch are any log messages generated on the ISE server? If so what are they?

R- Yes but just doing the first attempt to log.

*Sep 20 16:01:38.511: %RADIUS-3-NOSERVERS:

No

Radius

hosts configured or no valid server present in the server group ISE

you might try reversing the order in this

aaa authentication login default local group ISE

so that local is the later alternative.

R- I already did... I did it because sometimes my ISE server takes too long to boot, since I am on a lab environment, I said it doesn't matter too much to have local first.

- if all else fails run debug for authentication and post the output.

R- this is what I can see when i tried to use ISE: *Sep 20 16:17:13.263: AAA/BIND(0000000D): Bind i/f
*Sep 20 16:17:13.263: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'default'

schadracpierre · ‎09-20-2023

Hello Richard,

Now after changing something on my AAA and radius, this is what I got :

*Sep 20 23:24:07.693: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.10.12:1812,1813 is not responding.
*Sep 20 23:24:07.693: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.10.12:1812,1813 is being marked alive.
% Authentication failed

But I used to have that on other equipment I used to log as well. just to let you know.

Richard Burts · ‎09-20-2023

These messages are interesting. Is the device at

10.10.10.12 your Radius

/ISE server? When you attempt to authenticate with that server are any log messages generated on that server?

HTH

Rick

schadracpierre · ‎09-21-2023

Is the device at

10.10.10.12 your Radius

/ISE server?

Yes it is.

When you attempt to authenticate with that server are any log messages generated on that server?

No. Last message from sept 20, 2023

MHM Cisco World · ‎09-20-2023

network 10.0.0.0 255.255.0.0

Change the mask to be

255.0.0.0

And check again

schadracpierre · ‎09-20-2023

Hello MHM,

I don't have issues with connectivity, I can

ping

from any source to any destination.

MHM Cisco World · ‎09-20-2023

Ok' if reachability not issue then

Why you add local befofe ISE server for login?

schadracpierre · ‎09-20-2023

Because sometimes my ISE server takes too long to boot. I am on a lab environment.

MHM Cisco World · ‎09-20-2023

Ok'

You use

group ISE

in auth login command and you have only one server.

Instead use

group radius

(without ISE).

schadracpierre · ‎09-20-2023

Well, I was looking to make it work. I change it to group and still does not work while my spoke router works fine.

MHM Cisco World · ‎09-20-2023

Use

group radius

not only

radius

paul driver · ‎09-20-2023

Hello
You AAA is looking a local authentication first instead of the radius(ISE)

aaa authentication login default local group ISE
aaa authorization exec default local group ISE

try...

aaa authentication login default group ISE local
aaa authorization exec default group ISE

local

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

schadracpierre · ‎09-20-2023

Hello Paul,

I was actually like that before I changed it to local first. I changed it because my ISE server too long to boot. I am on a lab environment