Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
1
Helpful
8
Replies

Cisco CMX

mikegschorrctr
Level 1
Level 1

‎10-04-2023 08:40 AM

Team

I have a CMX 10.6.3 that does not authenticate to our Cisco ISE using Radius we think it has something to do with the certificate we are using. Is there a specific certificate we are supposed to use for our CMX to authenticate to our ISE  3.2? 

 

Labels:
0 Helpful
8 Replies 8

ammahend
VIP
VIP

‎10-04-2023 09:53 AM

I don't think you need to import any certificate. Do you see any logs in ISE, if yes, share those logs, it would indicate the issue, if No then make sure CMX is added on ISE as Network Device and shared secret is correct between them, then we can look at policy if needed.

-hope this helps-

mikegschorrctr
Level 1
Level 1

‎10-04-2023 09:57 AM

ammahend

I do not see any live logs in ISE for the CMX even though the CMX has been added in ISE and the shared secret is the same.

 

0 Helpful

ammahend
VIP
VIP
In response to mikegschorrctr

‎10-04-2023 11:06 AM

refer to page 198 on this pdf and confirm if this is what you followed ?

-hope this helps-
0 Helpful

mikegschorrctr
Level 1
Level 1

‎10-04-2023 10:00 AM

ammahend

when I tried to add ISE in CMX it is asking for a certificate location. So we have a certificate in CMX a .pem certificate.

0 Helpful

mikegschorrctr
Level 1
Level 1

‎10-04-2023 11:20 AM

ammahend

I used this document https://www.cisco.com/c/en/us/td/docs/wireless/mse/10-6-3/cmx_config/b_cg_cmx1063/performing_administrative_tasks.html  In this document I reference the below                 

The following example shows how to configure an external RADIUS authentication server.

[cmxadmin@cmx]# cmxctl config authserver settings
Enter external RADIUS authentication server host : 1.2.3.4
Enter RADIUS server shared secret key : password
Configure local account. This account can be used if RADIUS server is not reachable.
Enter username : cmxadmin
Enter password :
Repeat for confirmation:
External RADIUS authentication server configured successfully But our CMX asked for a certificate location and after we doing this we received this message Replacing existing CRL in the CRL collection.
Import Radius CA Certificate successful
0
External RADIUS authentication server configured successfully Failed to establish connection radius 
0 Helpful

mikegschorrctr
Level 1
Level 1

‎10-06-2023 06:27 AM

 Ammahend

This is what we did, and the results and we followed the Cisco documentation but the certificate location was asked for and so we differ in process.  

cmxctl config authserver settings

 

Enter external RADIUS authentication server host : 
Enter CA cert file for external RADIUS authentication server: /home

 

Enter external RADIUS authentication server's DNS name :  xxx
Enter RADIUS server shared secret key: xxxxxxxxx
Configure local account. This account can be used if RADIUS server is not reachable.
Enter username: xxxxxx
Enter password: xxxxxxx
Repeat for confirmation:
Checking for CRL Distribution Points
Found CRL URI(s)
CRL successfully downloaded from http://Axxxxxxx
Replacing existing CRL in the CRL collection.
Import Radius CA Certificate successful
0
External RADIUS authentication server configured successfully

 

Failed to establish connection radius

0 Helpful

ammahend
VIP
VIP
In response to mikegschorrctr

‎10-06-2023 06:35 AM

you are sure there is no firewall or ACL between ISE and CMX ? I asked because you are not evens seeing any logs inspite of credentials being verified correctly.

-hope this helps-
0 Helpful

mikegschorrctr
Level 1
Level 1

‎10-06-2023 06:40 AM

No there is no firewall between ISE and CMX and they are on the same Vlan and they are on the same EXSI host.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card