09-19-2023 07:14 AM - last edited on 10-16-2023 04:45 AM by Translator
Hello everyone,
I am trying to configure my switch so everyone who has an account on my AD can log in using ISE authentification server. I use DMVPN to my spokes with the Hub. All my spoke routers and hub devices are well configured and can use my ISE to log except my switches behind my spokes routers. Here is the configuration in one switch:
SPOKE-3-CORE#sh run
Building configuration...
Current configuration : 3139 bytes
!
! Last configuration change at 13:58:14 UTC Tue Sep 19 2023 by test
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SPOKE-3-CORE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$f7H2$UCn.F1lPhqTRgQeH8wJts.
!
username test privilege 15 secret 5 $1$P1pM$xKL/W5qLN.ZWbtOqFZsCC1
aaa new-model
!
!
aaa group server radius ISE
server 10.10.10.12
ip radius source-interface Loopback10
!
aaa authentication login default local group ISE
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization exec default local group ISE
aaa authorization network default group ISE
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE
aaa accounting exec default start-stop group ISE
!
aaa server radius dynamic-author
client 10.10.10.12 server-key C!sc0
!
aaa session-id common
!
ip dhcp excluded-address 10.10.13.9 10.10.13.12
ip dhcp excluded-address 10.10.13.17 10.10.13.20
ip dhcp excluded-address 10.10.13.25 10.10.13.28
!
ip dhcp pool DATA
network 10.10.13.8 255.255.255.248
default-router 10.10.13.9
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.9
lease 0 8
!
ip dhcp pool VoIP
network 10.10.13.16 255.255.255.248
default-router 10.10.13.17
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.17
lease 0 8
!
ip dhcp pool IT
network 10.10.13.24 255.255.255.248
default-router 10.10.13.25
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.25
lease 0 8
!
!
no ip domain-lookup
ip domain-name techplus.edu.org
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface Loopback10
ip address 10.3.255.9 255.255.255.255
!
interface Ethernet0/0
description "Interface towards the router"
no switchport
ip address 10.10.13.2 255.255.255.252
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
!
interface Ethernet0/3
switchport access vlan 30
switchport mode access
!
interface Vlan10
ip address 10.10.13.9 255.255.255.248
!
interface Vlan20
ip address 10.10.13.17 255.255.255.248
!
interface Vlan30
ip address 10.10.13.25 255.255.255.248
!
!
router eigrp 10
network 10.0.0.0 255.255.0.0
network 192.168.1.0 255.255.255.0
!
ip forward-protocol nd
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 10.10.13.1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
ip radius source-interface Loopback10
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
!
radius server ISE
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
key C!sc0
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
monitor session 1 source interface Et0/0
!
!
end
Please provide any thoughts you think might help.
TIA
Solved! Go to Solution.
10-05-2023 04:48 PM - last edited on 10-17-2023 03:01 AM by Translator
I found the error and fixed it. the issue was the bandwidth on the tunnel.
Changed the source
interface to ethernet 0/0
and under the tunnel interface, I changed the bandwidth to 85k
interface tunnel 10
bandwidth 85000
09-20-2023 08:33 AM - last edited on 10-17-2023 02:42 AM by Translator
Here are some things that might help identify the issue:
- can you confirm IP connectivity to the address of the ISE server using the address of the loopback interface as the source?
- can you confirm that the ISE server does have a correct configuration for this client (using the loopback address)?
- when you attempt access on the switch are any log messages generated on the ISE server? If so what are they?
- you might try reversing the order in this
aaa authentication login default local group ISE
so that local is the later alternative.
- if all else fails run debug for authentication and post the output.
09-20-2023 09:19 AM - last edited on 10-17-2023 03:07 AM by Translator
Hello Richard,
Thanks for replying to me! Please see the response to your questions above.
- can you confirm IP connectivity to the address of the ISE server using the address of the loopback interface as the source?
R- Yes.
SPOKE-3-CORE#ping 10.10.10.12 source loopback 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.12, timeout is 2 seconds:
Packet sent with a source address of 10.3.255.9
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms
SPOKE-3-CORE#
- can you confirm that the ISE server does have a correct configuration for this client (using the loopback address)?
R- Yes. I configured it with the loopback address IP but my routers I used my turnel IP and all of them work just fine.
- when you attempt access on the switch are any log messages generated on the ISE server? If so what are they?
R- Yes but just doing the first attempt to log.
*Sep 20 16:01:38.511: %RADIUS-3-NOSERVERS:
No
Radius
hosts configured or no valid server present in the server group ISE
you might try reversing the order in this
aaa authentication login default local group ISE
so that local is the later alternative.
R- I already did... I did it because sometimes my ISE server takes too long to boot, since I am on a lab environment, I said it doesn't matter too much to have local first.
- if all else fails run debug for authentication and post the output.
R- this is what I can see when i tried to use ISE: *Sep 20 16:17:13.263: AAA/BIND(0000000D): Bind i/f
*Sep 20 16:17:13.263: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'default'
09-20-2023 04:26 PM - last edited on 10-16-2023 05:04 AM by Translator
Hello Richard,
Now after changing something on my AAA and radius, this is what I got :
*Sep 20 23:24:07.693: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.10.12:1812,1813 is not responding.
*Sep 20 23:24:07.693: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.10.12:1812,1813 is being marked alive.
% Authentication failed
But I used to have that on other equipment I used to log as well. just to let you know.
09-20-2023 09:51 PM - last edited on 10-17-2023 03:17 AM by Translator
These messages are interesting. Is the device at
10.10.10.12 your Radius
/ISE server? When you attempt to authenticate with that server are any log messages generated on that server?
09-21-2023 06:25 AM - last edited on 10-17-2023 03:18 AM by Translator
Is the device at
10.10.10.12 your Radius
/ISE server?
Yes it is.
When you attempt to authenticate with that server are any log messages generated on that server?
No. Last message from sept 20, 2023
09-20-2023 08:46 AM - last edited on 10-16-2023 05:05 AM by Translator
network 10.0.0.0 255.255.0.0
Change the mask to be
255.0.0.0
And check again
09-20-2023 09:21 AM - last edited on 10-16-2023 05:07 AM by Translator
Hello MHM,
I don't have issues with connectivity, I can
ping
from any source to any destination.
09-20-2023 09:27 AM
Ok' if reachability not issue then
Why you add local befofe ISE server for login?
09-20-2023 09:39 AM
Because sometimes my ISE server takes too long to boot. I am on a lab environment.
09-20-2023 09:49 AM - last edited on 10-17-2023 02:57 AM by Translator
Ok'
You use
group ISE
in auth login command and you have only one server.
Instead use
group radius
(without ISE).
09-20-2023 10:04 AM
Well, I was looking to make it work. I change it to group and still does not work while my spoke router works fine.
09-20-2023 10:17 AM - last edited on 10-17-2023 02:48 AM by Translator
Use
group radius
not only
radius
09-20-2023 12:59 PM - last edited on 10-17-2023 02:52 AM by Translator
Hello
You AAA is looking a local authentication first instead of the radius(ISE)
aaa authentication login default local group ISE
aaa authorization exec default local group ISE
try...
aaa authentication login default group ISE local
aaa authorization exec default group ISE
local
09-20-2023 01:48 PM
Hello Paul,
I was actually like that before I changed it to local first. I changed it because my ISE server too long to boot. I am on a lab environment
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide