cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4407
Views
5
Helpful
7
Replies

Cisco ISE - Not able to authenticate with RADIUS

shailesh.pawar
Level 1
Level 1

Hello,

We have installed Cisco ISE trial version. ISE is configured with Cisco ASA for RADIUS based authentications for remote VPN login.

For some days the setup was working properly, but from the past two days the authentications are not successful and the following error is shown on the ASDM UI. This happens even when we try the Test connection option from ASDM UI.

The following error is displayed.

“ERROR: Authentication test to host xxx.xxx.xxx.xxx failed. Following error occurred.

Authentication Server not responding”

The UI of Cisco ISE is showing that none of the license has been consumed and still we have 56 days of trial left. Is it possible that this issue is related to licensing ?

Following messages are coming into logs of Cisco ASA:

%ASA-6-302020: Built inbound ICMP connection for faddr xxx.xxx.xxx.xxx/x gaddr xxx.xxx.xxx.xxx/x laddr xxx.xxx.xxx.xxx/x

%ASA-6-302021: Teardown ICMP connection for faddr xxx.xxx.xxx.xxx/x gaddr xxx.xxx.xxx.xxx/x laddr xxx.xxx.xxx.xxx/x

%ASA-6-302014: Teardown TCP connection 68227 for mgmt:xxx.xxx.xxx.xxx/x to identity:xxx.xxx.xxx.xxx/x duration 0:00:00 bytes 213 TCP FINs

%ASA-7-609002: Teardown local-host mgmt:xxx.xxx.xxx.xxx duration 0:00:00

%ASA-5-111008: User 'sadm' executed the 'test aaa-server authentication RADIUS host xxx.xxx.xxx.xxx username testuser password *' command.

%ASA-5-111010: User 'sadm', running 'CLI' from IP 0.0.0.0, executed 'test aaa-server authentication RADIUS host xxx.xxx.xxx.xxx username testuser password *'

%ASA-6-725007: SSL session with client mgmt:xxx.xxx.xxx.xxx/x terminated.

%ASA-6-302014: Teardown TCP connection 68226 for mgmt:xxx.xxx.xxx.xxx/x to identity:xxx.xxx.xxx.xxx/x duration 0:00:02 bytes 897 TCP Reset-O

%ASA-6-106015: Deny TCP (no connection) from xxx.xxx.xxx.xxx/x to xxx.xxx.xxx.xxx/x flags FIN ACK  on interface mgmt

%ASA-7-710005: TCP request discarded from xxx.xxx.xxx.xxx/x to mgmt:xxx.xxx.xxx.xxx/x

7 Replies 7

Amjad Abdullah
VIP Alumni
VIP Alumni

Hello,

It is obvious that the ISE is not responding. You better check the connectivity and check the ISE logs if it shows something regarding the authentication attempt from ASA.
I think it is either the auth request is not reachable to the ISE or the ISE is configured to drop the request and not to reply.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Thanks Amjad,

We checked the logs of ISE, it is not showing anything about authentication attempt from ASA.

Before past two days set up was working correctly and authentication was successful. In between these two days we have not changed any configuration from these devices.

We tried to ping ISE device from ASA, The ping was successful, So I think this might be another issue.

Please give your thoughts about the same.

Well, If ping works then connectivity is OK.
But maybe the IP address of the ISE is not correct on the ASA? This is one thing that can make ISE pingable but not responding to auth requests.

Is there any firewall in between?

Just double check all possibilities and make sure the config on ASA is correct with correct parameters (IP address, shared secret...etc).
If there is any config for the source interface for the radius then make sure that is correct as well and reachable to the ISE.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Thnaks Amjad,

I have checked all configurations (like ip address, shared secret, ports etc) it is correct, but the same error is coming.

There is no firewall in between ISE and ASA. Also the interface is reachable to ISE.

Please share your thoughts.

Well, having no logs on the ISE regaridng the auth attempts makes it sure to us that there is no request is received. If you can collect some packet capture from the ISE side you'll find that there is no request is coming form the ASA.

You also can try to collect packet capture on ASA side to verify if the authentication request is being sent form the ASA in the first place.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Hi Amjad,

We have collected packet capture from ISE by using TCP Dump and it is showing following logs:

08:15:58.201802 IP (tos 0x0, ttl 255, id 12469, offset 0, flags [none], proto: UDP (17), length: 94) {ASA IP}.blackjack > {ISE HOST NAME}.datametrics: RADIUS, length: 66

    Access Request (1), id: 0x89, Authenticator: 6881266714bdb20380b9fe5fac750a7b

      Username Attribute (1), length: 10, Value: testuser

      Password Attribute (2), length: 18, Value:

      NAS IP Address Attribute (4), length: 6, Value: 10.102.102.43 [|radius]

08:15:58.202070 arp who-has {ASA IP} tell {ISE HOST NAME}

08:15:58.202671 arp reply {ASA IP} is-at 00:1e:f7:10:65:92 (oui Unknown)

08:15:58.202684 IP (tos 0xc0, ttl  64, id 23634, offset 0, flags [none], proto: ICMP (1), length: 122) {ISE HOST NAME}
> 10.102.102.43: ICMP {ISE HOST NAME} udp port datametrics unreachable, length 102

    IP (tos 0x0, ttl 255, id 12469, offset 0, flags [none], proto: UDP (17), length: 94) {ASA IP}.blackjack > {ISE HOST NAME}.datametrics: RADIUS, length: 66

    Access Request (1), id: 0x89, Authenticator: 6881266714bdb20380b9fe5fac750a7b

      Username Attribute (1), length: 10, Value:  [|radius] [|radius]

It seems ASA is sending request to ISE, but ISE is not responding.

Logs are showing that "udp port datametrics unreachable". Can this be the probable cause?

Thanks,

shailesh

mmangat
Level 1
Level 1

Hello,

RADIUS Server Error Message Entries Appearing in Cisco ISE

Symptoms or Issue

•Unsuccessful RADIUS or AAA1 functions on Cisco ISE

•Error messages in the Monitor > Authentication event entries

Conditions

This scenario can become an issue in a system where Cisco ISE is configured to perform user authentication via an external identity source on the network.

Possible Causes

The following are possible causes for losing connectivity with the external identity source:

•Subject not found in the applicable identity source

•Wrong password or invalid shared secret

•Could not locate network device or AAA client

Resolution

Check the Cisco ISE dashboard (Monitor > Authentications) for any indication regarding the nature of RADIUS communication loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.)

Log into the Cisco ISE CLI2 and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:

test aaa group radius new-code

If this test command is successful, you should see the following attributes:

•Connect port

•Connect NAD IP address

•Connect Policy Service ISE node IP address

•Correct server key

•Recognized username or password

•Connectivity between the NAD and Policy Service ISE node

You can also use this command to help narrow the focus of the potential problem with RADIUS communication by deliberately specifying incorrect parameter values in the command line and then returning to the administrator dashboard (Monitor > Authentications) to view the type and frequency of error message entries that result from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Monitor > Authentications page to see what Cisco ISE is reporting.)

Note This command does not validate whether or not the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to use the new AAA model.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1049240

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: