cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1787
Views
1
Helpful
8
Replies

Cisco CMX

mikegschorrctr
Level 1
Level 1

Team

I have a CMX 10.6.3 that does not authenticate to our Cisco ISE using Radius we think it has something to do with the certificate we are using. Is there a specific certificate we are supposed to use for our CMX to authenticate to our ISE  3.2? 

 

8 Replies 8

ammahend
VIP
VIP

I don't think you need to import any certificate. Do you see any logs in ISE, if yes, share those logs, it would indicate the issue, if No then make sure CMX is added on ISE as Network Device and shared secret is correct between them, then we can look at policy if needed.

-hope this helps-

mikegschorrctr
Level 1
Level 1

ammahend

I do not see any live logs in ISE for the CMX even though the CMX has been added in ISE and the shared secret is the same.

 

refer to page 198 on this pdf and confirm if this is what you followed ?

-hope this helps-

mikegschorrctr
Level 1
Level 1

ammahend

when I tried to add ISE in CMX it is asking for a certificate location. So we have a certificate in CMX a .pem certificate.

mikegschorrctr
Level 1
Level 1

ammahend

I used this document https://www.cisco.com/c/en/us/td/docs/wireless/mse/10-6-3/cmx_config/b_cg_cmx1063/performing_administrative_tasks.html  In this document I reference the below                 

The following example shows how to configure an external RADIUS authentication server.

[cmxadmin@cmx]# cmxctl config authserver settings
Enter external RADIUS authentication server host : 1.2.3.4
Enter RADIUS server shared secret key : password
Configure local account. This account can be used if RADIUS server is not reachable.
Enter username : cmxadmin
Enter password :
Repeat for confirmation:
External RADIUS authentication server configured successfully But our CMX asked for a certificate location and after we doing this we received this message Replacing existing CRL in the CRL collection.
Import Radius CA Certificate successful
0
External RADIUS authentication server configured successfully Failed to establish connection radius 

mikegschorrctr
Level 1
Level 1

 Ammahend

This is what we did, and the results and we followed the Cisco documentation but the certificate location was asked for and so we differ in process.  

cmxctl config authserver settings

 

Enter external RADIUS authentication server host : 
Enter CA cert file for external RADIUS authentication server: /home

 

Enter external RADIUS authentication server's DNS name :  xxx
Enter RADIUS server shared secret key: xxxxxxxxx
Configure local account. This account can be used if RADIUS server is not reachable.
Enter username: xxxxxx
Enter password: xxxxxxx
Repeat for confirmation:
Checking for CRL Distribution Points
Found CRL URI(s)
CRL successfully downloaded from http://Axxxxxxx
Replacing existing CRL in the CRL collection.
Import Radius CA Certificate successful
0
External RADIUS authentication server configured successfully

 

Failed to establish connection radius

you are sure there is no firewall or ACL between ISE and CMX ? I asked because you are not evens seeing any logs inspite of credentials being verified correctly.

-hope this helps-

mikegschorrctr
Level 1
Level 1

No there is no firewall between ISE and CMX and they are on the same Vlan and they are on the same EXSI host.

Review Cisco Networking for a $25 gift card