Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2432
Views
5
Helpful
5
Replies

automate-tester probe-on issue in 15.2(7)E2

Pawel Przybyszewski
Level 1
Level 1

‎03-27-2020 05:58 AM

Hi All,

we use MAB on 2960X stacks (15.2(7)E2) and 4500E-7L (3.11.2E based on 15.2(7)E2) switches.

 

After upgrade from 15.2(7)E1 to 15.2(7)E2 we have issue with automate-tester. Switch all times is testing far_ISE.

I made short test and temporary deny on FW near_ISE, next open again and in this situation switch is testing near_ISE and far_ISE authenticates user. It seems any issue in software. Radius server is working but automate-tester can't refresh status (still testing for dummy user).

 

radius server near_ISE
address ipv4 10.x.x.x auth-port 1812 acct-port 1813
timeout 3
retransmit 1
automate-tester username dummy ignore-acct-port probe-on
key 7 *****
!
radius server far_ISE
address ipv4 10.y.y.y auth-port 1812 acct-port 1813
timeout 3
retransmit 1
automate-tester username dummy ignore-acct-port probe-on
key 7 *****
!

Do someone ocure this issue also?

Labels:
0 Helpful
5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

‎03-30-2020 09:12 AM

Hi,

 

   Based on the IOS version you're running, with the "probe-on" set, the automated tester should send probes only when the RADIUS server is DEAD. Is this behaviour not happening? As it's not clear what the exact problem is.

 

Regards,

Cristian Matei.

0 Helpful

Pawel Przybyszewski
Level 1
Level 1
In response to Cristian Matei

‎03-30-2020 10:23 PM

Hi,

exactly works correctly under 15.2(7)1 or earlier. In this version for cluster (ISE A, ISE B) still time is sending probes to one ISE:

- when switch uses ISE A for MAB authenticating - sending probes to ISE B

- when switch uses ISE B - sending still time probes to ISE A

 

Regards

Pawel

 

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Pawel Przybyszewski

‎03-30-2020 10:59 PM

Hi,

 

    Was there a reason for the upgrade? Like a need feature or something? I see you're running the latest version, so either you downgrade or wait for a new release to show up. 15.2(7)E1 was MD, while 15.2(7)E2 is ED.

 

Regards,

Cristian Matei.

0 Helpful

Pawel Przybyszewski
Level 1
Level 1
In response to Cristian Matei

‎03-31-2020 12:15 AM

Hi,

earlier EoL version were used 15.2(2)E9 for 2960X and 3.8.8E (based on 15.2(4)E8) on 4500E-7L. Bacause MD version for supported 15.2(7) line is 15.2(7)E1 we used this but after every reload AAA config is distored (both on 4500 and 2960X). Upgrade to 15.2(7)E2 resolved this issue but occures with automate-tester (for me is less problem that destroying AAA config in 15.2(7)E1).

 

our config:

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting system default start-stop group ISE

 

in 15.2(7)E1 or 3.11.1E is replaced on this during every restart (TACACS config is right) - it seems CSCvt19077

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting system default start-stop group radius

 

I'd like to have one common version (easier security advisory tracking). Probably we will wait for 15.2(7)E3 version.

 

Regards

Pawel

vittorio.petracca@pres.it
Level 1
Level 1
In response to Pawel Przybyszewski

‎05-26-2020 05:40 AM

Do you have any idea when the 15.2(7)E3 version will be released? 

 

Thank you

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card