ISE NAD RADIUS Fail Open

Similar Messages

• %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all

  We just implemented ISE 802.1x in couple of our  Cisco 4507 switches  and we are seeing the following error in the log.
  %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
  I paste it in the Cisco error message decoder and came back with not found.
  Thanks...

  Jimmy,
  Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
  Thanks for you input I do appreciate it.
  Jack.

• ISE Fail OPEN configuration/testing

  Greetings,
  We will be performing a live test of ISE Fail Open on our production system tomorrow night. When the policy nodes are all unavailable we want the switches to allow open access to all devices on all interfaces.
  I have done some testing of this on an individual test switch by routing packets to the ISE policy nodes to null 0 to emulate a failure. It appears to be working well, but was hoping for more input from the community before my Live test tomorrow night.
  First, I believe these to be the only commands needed to make this work correctly. Does anyone have any comment on this configuration? Am I missing anything? Do these timers seem OK? I'm wondering if the deadtime should be greater in case the nodes or the network connection are flapping?
  Global Config:
  radius-server dead-criteria time 5 tries 3
  radius-server deadtime 5
  dot1x critical eapol
  Interface Config:
  authentication event server dead action reinitialize vlan <normal data vlan>
  authentication event server dead action authorize voice
  authentication event server alive action reinitialize
  Next, this is the behavior I am seeing after the policy nodes go down. Is this as it should be?
  1. Absolutely nothing happens until an interface undergoes (re)authentication. All ports remain in current authentication/authorization state.
  2. If an interface undergoes (re)authentication, the switch tries to reach one of the configured policy nodes. After 5 seconds there is a message the first node is dead. In another 5 seconds there is a mesage that the second node is dead.
  3. After another ~20 seconds, the interface that was attempting (re)authentication goes into Critical Authorization:
  TEST#sh auth sess int f1
              Interface:  FastEthernet1
            MAC Address:  1234.5678.90ab
             IP Address:  Unknown
              User-Name:  UserName
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-host
       Oper control dir:  in
          Authorized By:  Critical Auth
            Vlan Policy:  2
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A010B0000013D093F17CC
        Acct Session ID:  0x0000072B
                 Handle:  0x5A00013E
  Runnable methods list:
         Method   State
         dot1x    Authc Failed
         mab      Not run
  Critical Authorization is in effect for domain(s) DATA
  TEST#
  All other interfaces remain in current mode, nothing on them changes so long as they don't attempt to (re)authenticate.
  4. If another interface attempts to (re)authenticate, it goes into critical state immediately w/o trying to contact the dead policy nodes.
  5. The switch will try every so often (every 5 minutes?) to reach the policy nodes. If one of them is up, all interfaces that were in critical state immediately transition to normal authc/authz modes. Normal timers apply, dot1x endpoints come up almost immediately, mab clients lose connectivity until dot1x times out.
  To emulate a global fail for the organization, I plan to stop the ISE services on both of my policy nodes.
  Thanks for any comments/insights/input.

  We appreciate the detailed scenario description, the question itself was very informative.
  I used
  authentication event server dead action authorize
                                         critical VLAN=accessVLAN
  instead of
  authentication event server dead action reinitialize vlan

• Critical VLAN/"fail open" support when ISE PSN is unavailable

  This thread regards ISE operation (and options) where a policy node becomes unavailable - so, in the case of either a single standalone ISE appliance (no HA), or more often a PSN becoming unavailable due to a WAN failure to a remote branch. The intended design for the deployment in question would involve using downloadable ACLs (dACLs) to provide differentiated access, specifically:
  - A default ACL would be configured on 802.1x switchports would allow "limited" access (possibly Internet-only, but TBD).
  - Successful 802.1x authentication would require 1) validation of a corporate certificate on the endpoint, and 2) successful AD login. This would provision a dACL providing full access.
  ISE provides the option to configure Inaccessible Authentication Bypass to support RADIUS unavailability when 802.1x is configured on switch ports, but I'm needing to confirm how this works when using dACLs instead of VLANs for differentiated access. Specifically, if IAB is configured so that 802.1x ports (maybe all of them if all ports at the branch need to be functional) get placed into a "critical VLAN", will this override the default ACL on the port, which would no longer be applicable to the new VLAN anyway?
  Simply put - we need to configure the deployment so that all endpoints fail open and have full access in the event of ISE/RADIUS becoming unavailable. (There'll be no local RADIUS and/or AD server in the event of WAN failure.) This will need to work although the 802.1x authentication/authorization will be using dACLs to determine access.
  Thank you

  I have a similar set up i.e. Pre-auth ACL applied on each port which is overwritten by a 'permit ip any any' DACL from the ISE server if a device successfully authenticates.
  My understanding is that if the ISE PSN nodes become unavailable then if a Critical Vlan has been configured then devices will be placed into that vlan, however, the pre-auth ACL will still apply. Hence, if the pre-auth ACL only allows limited network connectivity, then in the event of all the ISE PSN nodes being unreachable then the device will only get the connectivity you allow via the pre-auth ACL.
  This is obviously quite undesirable and so when I raised this with TAC they suggested that I add an EEM script to each switch so that if the ISE PSN nodes become unavailable then the EEM script will kick in and add a "1 permit ip any any' at the top of the pre-auth ACL.

• Cisco ISE some Radius issues

  Dear guys,
       I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
  No Accounting Start. (I have configured accouting on Switch 2960).
  Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
  I would greatly appreciate any help you can give me in working this problem.
  Have a nice day,
  Thanks and Regrads,

  Sorry for late reply.
  Here is my switch config.
  Current configuration : 8630 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no logging console
  enable password ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client A.B.C.D server-key keystrings
  aaa session-id common
  system mtu routing 1500
  vtp mode transparent
  ip dhcp snooping
  ip device tracking
  crypto pki trustpoint TP-self-signed-447922560
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-447922560
   revocation-check none
   rsakeypair TP-self-signed-447922560
  crypto pki certificate chain TP-self-signed-447922560
   certificate self-signed 01
    xxxxx
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 139,153,401-402,999,1501-1502
  interface FastEthernet0/11
   switchport access vlan 139
   switchport mode access
   authentication host-mode multi-auth
   authentication open
   authentication port-control auto
   authentication periodic
   authentication timer inactivity 180
   authentication violation restrict
   mab
  interface FastEthernet0/12
   switchport access vlan 139
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 139
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
  interface GigabitEthernet0/1
   switchport mode trunk
  interface GigabitEthernet0/2
  interface Vlan1
   no ip address
  interface Vlan139
   ip address E.F.G.H 255.255.255.0
  ip default-gateway I.J.K.L
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   permit ip any any
  ip access-list extended ACL-DEFAULT
   remark Allow DHCP
   permit udp any eq bootpc any eq bootps
   remark Allow DNS
   permit udp any any eq domain
   permit icmp any any
   permit tcp any host A.B.C.D eq 8443
   permit tcp any host A.B.C.D eq 443
   permit tcp any host A.B.C.D eq www
   permit tcp any host A.B.C.D eq 8905
   permit tcp any host A.B.C.D eq 8909
   permit udp any host A.B.C.D eq 8905
   permit udp any host A.B.C.D eq 8909
   deny   ip any any
  ip access-list extended ACL-WEBAUTH-REDIRECT
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any
  ip radius source-interface Vlan139
  snmp-server community keystrings RW
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host A.B.C.D version 2c keystrings  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  line vty 5 15
  end
  My switch version is
  WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
  I would greatly appreciate any help you can give me in working this problem.

• Client Exclusion Policies on WLC not working with ISE as RADIUS Server

  Hi,
  for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
  Am I missing any settings here or do you have some tipps on how to troubleshoot this?
  Thanks very much!

  Hi Renata,
  If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
  If your Guest WLAN has the following:
  SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
  I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
  You can try and dull the noise a few ways.
  Option 1. create and ISE log filter on those alerts so they don't cluter the console.
  Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
  Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
  Option 4 - both 2 and 3
  The most effective option would be 3.
  Good Luck!

• ISE-5443 RADIUS request dropped due to reaching EAP sessions limit

  Hi Guys,
  I am getting the below error message from two PSNs (out of 4) & resulting 95% failed authentications on ISE
  "5443 RADIUS request dropped due to reaching EAP sessions limit"
  Could not find any documents/reference & trying to get on hold TAC in the mean time.
  If anyone of you know what could it be, pls share your inputs
  TIA
  Rasika

  Hi Scott,
  Thanks for that..
  here is bit more information about this evnts log in ISE system (1.2 Patch 4).
  Event: 5405 RADIUS Request dropped
  Failure Reason :5443 RADIUS request dropped due to reaching EAP sessions limit
  Resolution : Wait a few seconds before invoking another RADIUS request with new EAP  session. If system overload continues to occur, try restarting the ISE  Server
  Root cause: A RADIUS request was dropped due to reaching EAP sessions limit. This  condition can be caused by too many parallel EAP authentication  requests.
  Worked with TAC & restarted the service of one PSN node & that brings that node to normal condition & removed the other PSN form the F5 pool until TAC analyze gathered support bundle from that.
  It is not heavily loaded environment (3k wireless clients) at the moment & bit scary since we are expecting around 15k when students are back in early March. Authentication failure rate is around 100 in every 15-20s interval. Not sure what is the limitation of the ISE system itself to handle number of EAP sessions per second.
  Rasika

• WLC with ISE as radius and also external web server

  Hi friends,
  I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
  I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
  So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
  any suggestions would be higly appreciated guys!
  Regards,
  Mohit

  Hi mohit,
  Please make sure the below steps for guest auth thru ISE,
  1)Add the WLC in your ISE as netork devices.
  2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
      a. any to ISE
      b.ISE to any
      c.any to dns server
      d.dns to any
  3)The external redirect url will be 
  https://ip address:8443/guestportal/Login.action
  4)AAA server for that SSId would be your ISE ip with port number 1812.
  5)In advanced tab please choose the AAA override. No need of radius nac.
  6)Create appropriate authorization profile in ISE for guest.Example is below ,

• NAS/NAM fail open/fail close modes

  I need a quick small help, its not documented any place so I need a clarification.
  I need this in terms of authentication through AD
  1. If my NAS goes down/unreachable what will happen? But nam is up?
  2. If my NAM goes down/unreachable and NAS is up what will happen?
  3. If both NAS and NAM are both down?
  If you can help me out on this point. I cant find any configuration guide stating fail open or fail closed modes of NAM and NAS

  We appreciate the detailed scenario description, the question itself was very informative.
  I used
  authentication event server dead action authorize
                                         critical VLAN=accessVLAN
  instead of
  authentication event server dead action reinitialize vlan

• IPS configuration promiscus mode(fail-open) assistance/troubleshooting

  Hi all ,
  I have 2 ASA configured in active/standby failover mode. I want to configure IPS in promiscus mode with fail-open configuration.
  i have not connected IPS with any pc through magmt port.
  I can access IPS through ASA(5520) using session 1 and able to do basic configuration using setup.
  after configuring when i try to login through ASA ASDM(IPS tab on home page of ASA ASDM) it ask for ip(managment or other ip).. I am trying to access the IPS with ip(192.168.3.74) configured in IPS using initial setup (192.168.3.74/27, 192.168.3.65) and also added access-list allowing 192.168.3.0/24.
  ASA inside ip subnet:192.168.3.64/27
  ASA DMZ ip subnet: 192.168.1.0/24
  let me know if i need to assign IPS ip from dmz range or inside range?
  Do i need to setup same IP for IPS in both ASA module?
  Let me know if i can connect to IPS from ASA ASDM using some ip(192.168.3.74) configured through setup on 443 port.?
  What access-list i should add in IPS or ASA if required?
  While setting up IPS 1st time using setup command i am not able to see the unused/monitored interface(g0/1) so that i could add both interface, which should show as per cisco doc. what may be the reason?
  IPS 6.0
  ASA(5520) 7.24
  ASDM 5.24
  Regards
  Amardeep

  You need to configure the interface properly and plug it in the network.
  The second interface is displayed different in the AIP-SSM, as  this is a logal/internal connection to the ASA.
  Regards
  Farrukh

• Can curtain mode in ARD be set to not fail open?

  Hello,
  Apple Remote Desktop curtain mode seems to fail open by default: if you have curtain mode enabled, and the ARD session disconnects, the remote desktop reverts to an unlocked desktop.
  Can ARD be set to fail closed? ie: if the connection drops or the app closes/crashes, then the remotely controlled screen should ideally revert to a locked desktop, if not by default, then as a user-selectable setting.
  Would anyone happen to know whether this is currently possible, or if it will require a Feature Enhancement Request?
  Thanks,

  You could assign their MAC addresses a static record on your local DNS server. That way, when you scan the network in ARD, you'll see them under the DNS Name tab.

• 3rd party IPS fail open device

  HI all,
  I am looking out for a 3rd party hardware device for IPS 4240 hardware fail open in case if my IPS unit has any hardware problems.
  Please suggest me on different model no/make for any 3rd party devices.
  Thanks
  pratik

  Hi Pratik,
  I am not aware of any.
  However,  Cisco IPS 4260 and IPS 4270-20 support the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware bypass.
  This 4GE bypass interface card supports hardware bypass.
  http://tools.cisco.com/squish/878Dd
  Regards,
  Sid Chandrachud
  Cisco TAC - Security Team

• Failed opening display

  After been using the "big" distributions for a long time i went for Arch to learn more about using Linux. So far so good.
  Right now i'm using Openbox but want to try out a tiled wm instead, just for fun.
  Made up my mind and chose subtle, since i don't really want to compile every change i made (yet...).
  So i just installed subtle using pacman and made a copy of subtle.rb to home using the instructions in the subtle wiki.
  The problem is when i try starting subtle. I get an error massage saying <ERROR> Failed opening display ´:0.0'
  Been searching the forums and read FAQ's but no answer to be find.

  I have the same problem. No matter if I have a xorg.conf or not. The basic Xorg-xinit environment is working btw..
  Oh my gosh, I feel so stupid.
  I just missed to create a .xintrc.
  It's working.
  Last edited by Janusz11 (2011-06-09 05:23:33)

• ISE v1.1 NAD 6500 failed to decrypt Key......

  Hello everyone ,
  I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
  My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
  Here is the network topology:
  DNSs are fully resolvable forward and reverse zone and  ISEs, AD, WLC and SW Core are synched with the same NTP server.
  As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
  This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
  Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
  Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
  Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 17:41:00.226: RADIUS:  authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
  Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
  Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:00.226: RADIUS: request  authen: 41EAE3A7DAEE6332CE646436F949C5A1
  Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
  Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
  Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
  Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 17:41:05.114: RADIUS:  authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
  Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
  Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:05.114: RADIUS: request  authen: 41EAE3A7DAEE6332CE646436F949C5A1
  Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
  Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
  Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
  Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
  Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
  I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
  I have already reviewed the following links:
  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
  http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
  And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
  Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
  ISE version: 1.1.0.665
  ADE OS: 2
  Active Directory: Windows 2008 R2 Standard
  6500 SW Config:
  Building configuration...
  Current configuration : 65413 bytes
  ! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
  ! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
  version 15.0
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service compress-config
  service counters max age 5
  boot-start-marker
  boot system flash bootdisk:
  boot-end-marker
  logging buffered 64000
  enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
  username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
  username test-radius password 7 14141B180F0B7B7977
  aaa new-model
  aaa authentication login Tr3s41ia.2012 local
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa server radius dynamic-author
  client 172.16.3.5 server-key 7 110A1016141D5A5E57
  aaa session-id common
  platform ip cef load-sharing ip-only
  platform rate-limit layer2 port-security pkt 300 burst 10
  clock timezone MXInv -6
  clock summer-time MXVerano recurring
  authentication critical recovery delay 1000
  interface GigabitEthernet8/1
  switchport
  switchport access vlan 2
  switchport mode access
  ip access-group ACL_ISE_Default in
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  spanning-tree portfast edge
  ip default-gateway 172.16.3.2
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip route 0.0.0.0 0.0.0.0 172.16.3.2
  ip radius source-interface Vlan3 vrf default
  logging origin-id ip
  logging source-interface Vlan3
  logging host 172.16.3.5 transport udp port 20514
  snmp-server group Tr3s41ia.2012aes v3 priv
  snmp-server group Tr3s41ia.2012md5 v3 auth
  snmp-server community public RO
  snmp-server community tresaliarw RW
  snmp-server community tresaliaro RO
  snmp-server trap-source Vlan3
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps memory bufferpeak
  no snmp-server enable traps entity-sensor threshold
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps flash insertion removal
  snmp-server enable traps mac-notification move change
  snmp-server enable traps errdisable
  snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
  snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
  snmp-server host 172.16.3.5 version 2c tresaliaro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  service-policy input policy-default-autocopp
  line con 0
  logging synchronous
  login authentication Tr3s41ia.2012
  line aux 0
  line vty 0 4
  login authentication defaulTr3s41ia.2012
  transport input ssh
  line vty 5 1509
  login authentication defaulTr3s41ia.2012
  transport input ssh
  ntp clock-period 17179836
  ntp peer 172.16.4.9
  no event manager policy Mandatory.go_switchbus.tcl type system
  end
  Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
  I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
  Any help, hint or direction will be really appreciated.
  Thanks in advanced for your time. Best Regards.

  Hello Tarik, thanks for your response,
  I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
  I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
  Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
  Sep 12 20:42:59.713: RADIUS(00000000): sending
  Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
  Sep 12 20:42:59.713: RADIUS:  authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
  Sep 12 20:42:59.713: RADIUS:  User-Password       [2]   18  *
  Sep 12 20:42:59.713: RADIUS:  User-Name           [1]   6   test
  Sep 12 20:42:59.713: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Sep 12 20:42:59.713: RADIUS:  NAS-IP-Address      [4]   6   172.16.3.1               
  Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
  Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
  Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 20:43:14.489: RADIUS:  authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
  Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
  Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
  Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
  Sep 12 20:43:14.489: RADIUS: request  authen: 24523041B70674CEC74B7BFF8788F723
  Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
  And here are the results from the Operations/Authentications Tabe from ISE:
  There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
  So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
  Thanks in advanced for your time and comments.

• ISE: test-radius user check fails

  The ISE user guides suggest to use a username called 'test-radius' as option to the 'radius-server host' commands. This will cause the respective NAD (a Cat3560 in my case) to make an authentication check on each configured ISE every 60 minutes.
  The problem is that every hour I see an authentication failure for this user, but ONLY on my second ISE (I'm running a Standalone HA deployment). Since both hosts should replicate the same user DB, why would it only fail on the second ISE? When I direct end-user login authentications to the second ISE exclusively, they will be passed normally.
  See the attached screenshot of the failed authentication attempt for the test-radius user. I've been seeing this with ISE 1.1 as well as 1.1.1.
  The relevant config on the switch is:
  username test-radius secret 5 <snipped>
  radius-server host 172.26.10.35 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
  radius-server host 172.26.10.36 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
  Questions:
  - How can I get rid of that error?
  - Is that test-radius option of much use at all in an ISE setup? As far as I could find out, it would be a measure to figure out if the second ISE policy server is running at all as long as the first one hasn't failed.
  Thanks for any help.
  Toni

  Hi Toni,
  I believe you do not see any Access-Requests with the 'test-radius' on your primary ISE PDP server at all. The reason is simply that this server is already known as alive due to the regular Access-Requests for user authentication, so there is really no reason for checking its availability.
  Obviously this does not explain the behavior why the test request is failing. Anyhow,sniffing the RADIUS request packets from your switch towards the ISE should bring light into the darkness.
  If you are having a switch with software version 12.2X (Test switch: WS-C3560G-48PS, C3560-IPBASEK9-M, 12.2(53)SE2) the encrypted password contained does not match the one that you have locally configured on the switch (You may want to use Wireshark as proof).
  On the other hand, if you are having a switch with software version 15.0X (Test switch: WS-C3560X-48P, C3560E-UNIVERSALK9-M, 15.0(1)SE3) the encrypted password contained does match the one that you have locally configured. Side node: It will not work with an MD5 encrypted password, so you have to use 'username test-radius password '.
  However, this whole behavior does not affect user authentication at all and is hence only cosmetic. For the switches itself it only matters if it gets a response from the ISE (RADIUS) to know if it is alive or not.
  Hi Tarik,
  Testing with the 'test aaa...' command does not result in the 'Authentication Failure', that Toni had mentioned.
  Kind regards and hth,
  Stephan
  *Please rate helpful posts*