03-27-2020 05:58 AM
Hi All,
we use MAB on 2960X stacks (15.2(7)E2) and 4500E-7L (3.11.2E based on 15.2(7)E2) switches.
After upgrade from 15.2(7)E1 to 15.2(7)E2 we have issue with automate-tester. Switch all times is testing far_ISE.
I made short test and temporary deny on FW near_ISE, next open again and in this situation switch is testing near_ISE and far_ISE authenticates user. It seems any issue in software. Radius server is working but automate-tester can't refresh status (still testing for dummy user).
radius server near_ISE
address ipv4 10.x.x.x auth-port 1812 acct-port 1813
timeout 3
retransmit 1
automate-tester username dummy ignore-acct-port probe-on
key 7 *****
!
radius server far_ISE
address ipv4 10.y.y.y auth-port 1812 acct-port 1813
timeout 3
retransmit 1
automate-tester username dummy ignore-acct-port probe-on
key 7 *****
!
Do someone ocure this issue also?
03-30-2020 09:12 AM
Hi,
Based on the IOS version you're running, with the "probe-on" set, the automated tester should send probes only when the RADIUS server is DEAD. Is this behaviour not happening? As it's not clear what the exact problem is.
Regards,
Cristian Matei.
03-30-2020 10:23 PM
Hi,
exactly works correctly under 15.2(7)1 or earlier. In this version for cluster (ISE A, ISE B) still time is sending probes to one ISE:
- when switch uses ISE A for MAB authenticating - sending probes to ISE B
- when switch uses ISE B - sending still time probes to ISE A
Regards
Pawel
03-30-2020 10:59 PM
Hi,
Was there a reason for the upgrade? Like a need feature or something? I see you're running the latest version, so either you downgrade or wait for a new release to show up. 15.2(7)E1 was MD, while 15.2(7)E2 is ED.
Regards,
Cristian Matei.
03-31-2020 12:15 AM
Hi,
earlier EoL version were used 15.2(2)E9 for 2960X and 3.8.8E (based on 15.2(4)E8) on 4500E-7L. Bacause MD version for supported 15.2(7) line is 15.2(7)E1 we used this but after every reload AAA config is distored (both on 4500 and 2960X). Upgrade to 15.2(7)E2 resolved this issue but occures with automate-tester (for me is less problem that destroying AAA config in 15.2(7)E1).
our config:
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting system default start-stop group ISE
in 15.2(7)E1 or 3.11.1E is replaced on this during every restart (TACACS config is right) - it seems CSCvt19077
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting system default start-stop group radius
I'd like to have one common version (easier security advisory tracking). Probably we will wait for 15.2(7)E3 version.
Regards
Pawel
05-26-2020 05:40 AM
Do you have any idea when the 15.2(7)E3 version will be released?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide