ISE NAD RADIUS Fail Open
Good afternoon,
NAC offers ip admission command for fail open on a router. Is there an equivalent command for access switches pointing to a RADIUS server?
Situation:
Access switches have two RADIUS servers configured, one pointing to Load Balancer at Site A (with 6 PSNs behind) and the second RADIUS pointing at the LB at Site B (6 PSNs behind). If neither Site Load Balancers are reachable, how could we have the access switch fail-open and apply a ACL which would give access only to the Internet to the staff?
Thanks.
Cath.
Cath,
You can actually leverage the command "authentication event dead action authorize vlan id" and dump the users on a vlan that will grant them access while the radius servers are unreachable.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1194433
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
We just implemented ISE 802.1x in couple of our Cisco 4507 switches and we are seeing the following error in the log.
%HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
I paste it in the Cisco error message decoder and came back with not found.
Thanks...Jimmy,
Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
Thanks for you input I do appreciate it.
Jack. -
ISE Fail OPEN configuration/testing
Greetings,
We will be performing a live test of ISE Fail Open on our production system tomorrow night. When the policy nodes are all unavailable we want the switches to allow open access to all devices on all interfaces.
I have done some testing of this on an individual test switch by routing packets to the ISE policy nodes to null 0 to emulate a failure. It appears to be working well, but was hoping for more input from the community before my Live test tomorrow night.
First, I believe these to be the only commands needed to make this work correctly. Does anyone have any comment on this configuration? Am I missing anything? Do these timers seem OK? I'm wondering if the deadtime should be greater in case the nodes or the network connection are flapping?
Global Config:
radius-server dead-criteria time 5 tries 3
radius-server deadtime 5
dot1x critical eapol
Interface Config:
authentication event server dead action reinitialize vlan <normal data vlan>
authentication event server dead action authorize voice
authentication event server alive action reinitialize
Next, this is the behavior I am seeing after the policy nodes go down. Is this as it should be?
1. Absolutely nothing happens until an interface undergoes (re)authentication. All ports remain in current authentication/authorization state.
2. If an interface undergoes (re)authentication, the switch tries to reach one of the configured policy nodes. After 5 seconds there is a message the first node is dead. In another 5 seconds there is a mesage that the second node is dead.
3. After another ~20 seconds, the interface that was attempting (re)authentication goes into Critical Authorization:
TEST#sh auth sess int f1
Interface: FastEthernet1
MAC Address: 1234.5678.90ab
IP Address: Unknown
User-Name: UserName
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: in
Authorized By: Critical Auth
Vlan Policy: 2
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A010B0000013D093F17CC
Acct Session ID: 0x0000072B
Handle: 0x5A00013E
Runnable methods list:
Method State
dot1x Authc Failed
mab Not run
Critical Authorization is in effect for domain(s) DATA
TEST#
All other interfaces remain in current mode, nothing on them changes so long as they don't attempt to (re)authenticate.
4. If another interface attempts to (re)authenticate, it goes into critical state immediately w/o trying to contact the dead policy nodes.
5. The switch will try every so often (every 5 minutes?) to reach the policy nodes. If one of them is up, all interfaces that were in critical state immediately transition to normal authc/authz modes. Normal timers apply, dot1x endpoints come up almost immediately, mab clients lose connectivity until dot1x times out.
To emulate a global fail for the organization, I plan to stop the ISE services on both of my policy nodes.
Thanks for any comments/insights/input.We appreciate the detailed scenario description, the question itself was very informative.
I used
authentication event server dead action authorize
critical VLAN=accessVLAN
instead of
authentication event server dead action reinitialize vlan -
Critical VLAN/"fail open" support when ISE PSN is unavailable
This thread regards ISE operation (and options) where a policy node becomes unavailable - so, in the case of either a single standalone ISE appliance (no HA), or more often a PSN becoming unavailable due to a WAN failure to a remote branch. The intended design for the deployment in question would involve using downloadable ACLs (dACLs) to provide differentiated access, specifically:
- A default ACL would be configured on 802.1x switchports would allow "limited" access (possibly Internet-only, but TBD).
- Successful 802.1x authentication would require 1) validation of a corporate certificate on the endpoint, and 2) successful AD login. This would provision a dACL providing full access.
ISE provides the option to configure Inaccessible Authentication Bypass to support RADIUS unavailability when 802.1x is configured on switch ports, but I'm needing to confirm how this works when using dACLs instead of VLANs for differentiated access. Specifically, if IAB is configured so that 802.1x ports (maybe all of them if all ports at the branch need to be functional) get placed into a "critical VLAN", will this override the default ACL on the port, which would no longer be applicable to the new VLAN anyway?
Simply put - we need to configure the deployment so that all endpoints fail open and have full access in the event of ISE/RADIUS becoming unavailable. (There'll be no local RADIUS and/or AD server in the event of WAN failure.) This will need to work although the 802.1x authentication/authorization will be using dACLs to determine access.
Thank youI have a similar set up i.e. Pre-auth ACL applied on each port which is overwritten by a 'permit ip any any' DACL from the ISE server if a device successfully authenticates.
My understanding is that if the ISE PSN nodes become unavailable then if a Critical Vlan has been configured then devices will be placed into that vlan, however, the pre-auth ACL will still apply. Hence, if the pre-auth ACL only allows limited network connectivity, then in the event of all the ISE PSN nodes being unreachable then the device will only get the connectivity you allow via the pre-auth ACL.
This is obviously quite undesirable and so when I raised this with TAC they suggested that I add an EEM script to each switch so that if the ISE PSN nodes become unavailable then the EEM script will kick in and add a "1 permit ip any any' at the top of the pre-auth ACL. -
Dear guys,
I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
No Accounting Start. (I have configured accouting on Switch 2960).
Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
I would greatly appreciate any help you can give me in working this problem.
Have a nice day,
Thanks and Regrads,Sorry for late reply.
Here is my switch config.
Current configuration : 8630 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no logging console
enable password ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client A.B.C.D server-key keystrings
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip dhcp snooping
ip device tracking
crypto pki trustpoint TP-self-signed-447922560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-447922560
revocation-check none
rsakeypair TP-self-signed-447922560
crypto pki certificate chain TP-self-signed-447922560
certificate self-signed 01
xxxxx
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 139,153,401-402,999,1501-1502
interface FastEthernet0/11
switchport access vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation restrict
mab
interface FastEthernet0/12
switchport access vlan 139
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 139
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
interface Vlan1
no ip address
interface Vlan139
ip address E.F.G.H 255.255.255.0
ip default-gateway I.J.K.L
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host A.B.C.D eq 8443
permit tcp any host A.B.C.D eq 443
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 8905
permit tcp any host A.B.C.D eq 8909
permit udp any host A.B.C.D eq 8905
permit udp any host A.B.C.D eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip radius source-interface Vlan139
snmp-server community keystrings RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host A.B.C.D version 2c keystrings mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
end
My switch version is
WS-2960 12.2(55)SE5 C2960-LANBASEK9-M
I would greatly appreciate any help you can give me in working this problem. -
Client Exclusion Policies on WLC not working with ISE as RADIUS Server
Hi,
for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
Am I missing any settings here or do you have some tipps on how to troubleshoot this?
Thanks very much!Hi Renata,
If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
If your Guest WLAN has the following:
SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
You can try and dull the noise a few ways.
Option 1. create and ISE log filter on those alerts so they don't cluter the console.
Option 2. Stop broadcasting the SSID. This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security. You will have to include this information on their credential communication.
Option 4 - both 2 and 3
The most effective option would be 3.
Good Luck! -
ISE-5443 RADIUS request dropped due to reaching EAP sessions limit
Hi Guys,
I am getting the below error message from two PSNs (out of 4) & resulting 95% failed authentications on ISE
"5443 RADIUS request dropped due to reaching EAP sessions limit"
Could not find any documents/reference & trying to get on hold TAC in the mean time.
If anyone of you know what could it be, pls share your inputs
TIA
RasikaHi Scott,
Thanks for that..
here is bit more information about this evnts log in ISE system (1.2 Patch 4).
Event: 5405 RADIUS Request dropped
Failure Reason :5443 RADIUS request dropped due to reaching EAP sessions limit
Resolution : Wait a few seconds before invoking another RADIUS request with new EAP session. If system overload continues to occur, try restarting the ISE Server
Root cause: A RADIUS request was dropped due to reaching EAP sessions limit. This condition can be caused by too many parallel EAP authentication requests.
Worked with TAC & restarted the service of one PSN node & that brings that node to normal condition & removed the other PSN form the F5 pool until TAC analyze gathered support bundle from that.
It is not heavily loaded environment (3k wireless clients) at the moment & bit scary since we are expecting around 15k when students are back in early March. Authentication failure rate is around 100 in every 15-20s interval. Not sure what is the limitation of the ISE system itself to handle number of EAP sessions per second.
Rasika -
WLC with ISE as radius and also external web server
Hi friends,
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
any suggestions would be higly appreciated guys!
Regards,
MohitHi mohit,
Please make sure the below steps for guest auth thru ISE,
1)Add the WLC in your ISE as netork devices.
2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
a. any to ISE
b.ISE to any
c.any to dns server
d.dns to any
3)The external redirect url will be
https://ip address:8443/guestportal/Login.action
4)AAA server for that SSId would be your ISE ip with port number 1812.
5)In advanced tab please choose the AAA override. No need of radius nac.
6)Create appropriate authorization profile in ISE for guest.Example is below , -
NAS/NAM fail open/fail close modes
I need a quick small help, its not documented any place so I need a clarification.
I need this in terms of authentication through AD
1. If my NAS goes down/unreachable what will happen? But nam is up?
2. If my NAM goes down/unreachable and NAS is up what will happen?
3. If both NAS and NAM are both down?
If you can help me out on this point. I cant find any configuration guide stating fail open or fail closed modes of NAM and NASWe appreciate the detailed scenario description, the question itself was very informative.
I used
authentication event server dead action authorize
critical VLAN=accessVLAN
instead of
authentication event server dead action reinitialize vlan -
IPS configuration promiscus mode(fail-open) assistance/troubleshooting
Hi all ,
I have 2 ASA configured in active/standby failover mode. I want to configure IPS in promiscus mode with fail-open configuration.
i have not connected IPS with any pc through magmt port.
I can access IPS through ASA(5520) using session 1 and able to do basic configuration using setup.
after configuring when i try to login through ASA ASDM(IPS tab on home page of ASA ASDM) it ask for ip(managment or other ip).. I am trying to access the IPS with ip(192.168.3.74) configured in IPS using initial setup (192.168.3.74/27, 192.168.3.65) and also added access-list allowing 192.168.3.0/24.
ASA inside ip subnet:192.168.3.64/27
ASA DMZ ip subnet: 192.168.1.0/24
let me know if i need to assign IPS ip from dmz range or inside range?
Do i need to setup same IP for IPS in both ASA module?
Let me know if i can connect to IPS from ASA ASDM using some ip(192.168.3.74) configured through setup on 443 port.?
What access-list i should add in IPS or ASA if required?
While setting up IPS 1st time using setup command i am not able to see the unused/monitored interface(g0/1) so that i could add both interface, which should show as per cisco doc. what may be the reason?
IPS 6.0
ASA(5520) 7.24
ASDM 5.24
Regards
AmardeepYou need to configure the interface properly and plug it in the network.
The second interface is displayed different in the AIP-SSM, as this is a logal/internal connection to the ASA.
Regards
Farrukh -
Can curtain mode in ARD be set to not fail open?
Hello,
Apple Remote Desktop curtain mode seems to fail open by default: if you have curtain mode enabled, and the ARD session disconnects, the remote desktop reverts to an unlocked desktop.
Can ARD be set to fail closed? ie: if the connection drops or the app closes/crashes, then the remotely controlled screen should ideally revert to a locked desktop, if not by default, then as a user-selectable setting.
Would anyone happen to know whether this is currently possible, or if it will require a Feature Enhancement Request?
Thanks,You could assign their MAC addresses a static record on your local DNS server. That way, when you scan the network in ARD, you'll see them under the DNS Name tab.
-
3rd party IPS fail open device
HI all,
I am looking out for a 3rd party hardware device for IPS 4240 hardware fail open in case if my IPS unit has any hardware problems.
Please suggest me on different model no/make for any 3rd party devices.
Thanks
pratikHi Pratik,
I am not aware of any.
However, Cisco IPS 4260 and IPS 4270-20 support the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware bypass.
This 4GE bypass interface card supports hardware bypass.
http://tools.cisco.com/squish/878Dd
Regards,
Sid Chandrachud
Cisco TAC - Security Team -
After been using the "big" distributions for a long time i went for Arch to learn more about using Linux. So far so good.
Right now i'm using Openbox but want to try out a tiled wm instead, just for fun.
Made up my mind and chose subtle, since i don't really want to compile every change i made (yet...).
So i just installed subtle using pacman and made a copy of subtle.rb to home using the instructions in the subtle wiki.
The problem is when i try starting subtle. I get an error massage saying <ERROR> Failed opening display ´:0.0'
Been searching the forums and read FAQ's but no answer to be find.I have the same problem. No matter if I have a xorg.conf or not. The basic Xorg-xinit environment is working btw..
Oh my gosh, I feel so stupid.
I just missed to create a .xintrc.
It's working.
Last edited by Janusz11 (2011-06-09 05:23:33) -
ISE v1.1 NAD 6500 failed to decrypt Key......
Hello everyone ,
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
Here is the network topology:
DNSs are fully resolvable forward and reverse zone and ISEs, AD, WLC and SW Core are synched with the same NTP server.
As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:00.226: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:05.114: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
I have already reviewed the following links:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
ISE version: 1.1.0.665
ADE OS: 2
Active Directory: Windows 2008 R2 Standard
6500 SW Config:
Building configuration...
Current configuration : 65413 bytes
! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service counters max age 5
boot-start-marker
boot system flash bootdisk:
boot-end-marker
logging buffered 64000
enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
username test-radius password 7 14141B180F0B7B7977
aaa new-model
aaa authentication login Tr3s41ia.2012 local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 172.16.3.5 server-key 7 110A1016141D5A5E57
aaa session-id common
platform ip cef load-sharing ip-only
platform rate-limit layer2 port-security pkt 300 burst 10
clock timezone MXInv -6
clock summer-time MXVerano recurring
authentication critical recovery delay 1000
interface GigabitEthernet8/1
switchport
switchport access vlan 2
switchport mode access
ip access-group ACL_ISE_Default in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast edge
ip default-gateway 172.16.3.2
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.3.2
ip radius source-interface Vlan3 vrf default
logging origin-id ip
logging source-interface Vlan3
logging host 172.16.3.5 transport udp port 20514
snmp-server group Tr3s41ia.2012aes v3 priv
snmp-server group Tr3s41ia.2012md5 v3 auth
snmp-server community public RO
snmp-server community tresaliarw RW
snmp-server community tresaliaro RO
snmp-server trap-source Vlan3
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps memory bufferpeak
no snmp-server enable traps entity-sensor threshold
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification move change
snmp-server enable traps errdisable
snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
snmp-server host 172.16.3.5 version 2c tresaliaro
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
service-policy input policy-default-autocopp
line con 0
logging synchronous
login authentication Tr3s41ia.2012
line aux 0
line vty 0 4
login authentication defaulTr3s41ia.2012
transport input ssh
line vty 5 1509
login authentication defaulTr3s41ia.2012
transport input ssh
ntp clock-period 17179836
ntp peer 172.16.4.9
no event manager policy Mandatory.go_switchbus.tcl type system
end
Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
Any help, hint or direction will be really appreciated.
Thanks in advanced for your time. Best Regards.Hello Tarik, thanks for your response,
I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): sending
Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
Sep 12 20:42:59.713: RADIUS: authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
Sep 12 20:42:59.713: RADIUS: User-Password [2] 18 *
Sep 12 20:42:59.713: RADIUS: User-Name [1] 6 test
Sep 12 20:42:59.713: RADIUS: Service-Type [6] 6 Login [1]
Sep 12 20:42:59.713: RADIUS: NAS-IP-Address [4] 6 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
Sep 12 20:43:14.489: RADIUS: authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: request authen: 24523041B70674CEC74B7BFF8788F723
Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
And here are the results from the Operations/Authentications Tabe from ISE:
There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
Thanks in advanced for your time and comments. -
ISE: test-radius user check fails
The ISE user guides suggest to use a username called 'test-radius' as option to the 'radius-server host' commands. This will cause the respective NAD (a Cat3560 in my case) to make an authentication check on each configured ISE every 60 minutes.
The problem is that every hour I see an authentication failure for this user, but ONLY on my second ISE (I'm running a Standalone HA deployment). Since both hosts should replicate the same user DB, why would it only fail on the second ISE? When I direct end-user login authentications to the second ISE exclusively, they will be passed normally.
See the attached screenshot of the failed authentication attempt for the test-radius user. I've been seeing this with ISE 1.1 as well as 1.1.1.
The relevant config on the switch is:
username test-radius secret 5 <snipped>
radius-server host 172.26.10.35 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
radius-server host 172.26.10.36 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
Questions:
- How can I get rid of that error?
- Is that test-radius option of much use at all in an ISE setup? As far as I could find out, it would be a measure to figure out if the second ISE policy server is running at all as long as the first one hasn't failed.
Thanks for any help.
ToniHi Toni,
I believe you do not see any Access-Requests with the 'test-radius' on your primary ISE PDP server at all. The reason is simply that this server is already known as alive due to the regular Access-Requests for user authentication, so there is really no reason for checking its availability.
Obviously this does not explain the behavior why the test request is failing. Anyhow,sniffing the RADIUS request packets from your switch towards the ISE should bring light into the darkness.
If you are having a switch with software version 12.2X (Test switch: WS-C3560G-48PS, C3560-IPBASEK9-M, 12.2(53)SE2) the encrypted password contained does not match the one that you have locally configured on the switch (You may want to use Wireshark as proof).
On the other hand, if you are having a switch with software version 15.0X (Test switch: WS-C3560X-48P, C3560E-UNIVERSALK9-M, 15.0(1)SE3) the encrypted password contained does match the one that you have locally configured. Side node: It will not work with an MD5 encrypted password, so you have to use 'username test-radius password '.
However, this whole behavior does not affect user authentication at all and is hence only cosmetic. For the switches itself it only matters if it gets a response from the ISE (RADIUS) to know if it is alive or not.
Hi Tarik,
Testing with the 'test aaa...' command does not result in the 'Authentication Failure', that Toni had mentioned.
Kind regards and hth,
Stephan
*Please rate helpful posts*
Maybe you are looking for
-
My iPhone 4 (GSM) is terrible to use after iOS 7 update?
I was so excited for iOS 7 ... In fact, I checked for an available update every other second. After getting said update my phone was amazing at first (IT FELT LIKE A NEW PHONE)! -Now I've started to notice that my keyboard will simply stop working le
-
I need to configure central user administration for two clients in one physical system. I've created RFC destinations and assigned logical systems to clients. But I've got this problem: tRFC fails with error message 'No business system for system SID
-
Business Objects 4.0 Server Restart Order
Hi All, SAP has recommended to us to do a monthly server restart for our servers to clean out temporary and orphaned jobs and such. We currently have a clustered CMS environment with another clustered processing tier for the adaptive job servers. My
-
Urgent : CO product costing into the SD pricing
client requiremnet is that product costing of material should be reflected in pricing procedure. Thanks in advance.
-
Filter, Information, Chart Buttons in the workbook are not working
i created a wokbook and done some modification. When i click on one of these Buttons ( Filter, Information, Chart ) it is not working. How can i repair it? Thank you in advacne. Cheers