ISE vs Packet Fence

Similar Messages

• Packet Fence behind a proxy

  No, because you are doing something new and uncharted. But the rules are in (doing from memory) /usr/local/pf/conf (somewhere) there is the iptables template that gets copied to the correct location in /etc/sysconf/iptables. 
  I can dig around in my test system in the AM to locate the correct file. But that is the location they were in. 

  You would not do this in packet fence directly, there is no facility for that.Think about what packet fence is acting like... a gated router. Since it is running inline mode it acts like a route with an entrance control. While I have never done this with pf, you might want to check into transparent proxying. This uses firewall rules to redirect internet bound traffic to/through a proxy server.To do this under linux you can craft specific iptable rules to create the redirect. http://www.tldp.org/HOWTO/TransparentProxy-6.htmlUnderstand that pf also manages the firewall rules so you will need to add your rules to the pf configuration files. The main linux iptables are rewritten every time pf starts. So you must put them in the proper place to retain the settings during a restart.While debugging I would update the pf rules directly,...

• Cisco ISE 1.3 MAB authentication.. switch drop packet

  Hello All,
  I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
  and ISE 1.3 versoin..
  MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
  while some ports are working perfectly..
  Same switch configuration is working perfectly on another switch without any issue..
  Switch configuration for your suggestion..!!
  aaa new-model
  aaa authentication fail-message ^C
  **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
  ^C
  aaa authentication login CONSOLE local
  aaa authentication login ACS group tacacs+ group radius local
  aaa authentication dot1x default group radius
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+ group radius
  aaa server radius dynamic-author
   client 172.16.95.x server-key 7 02050D480809
   client 172.16.95.x server-key 7 14141B180F0B
  aaa session-id common
  clock timezone IST 5 30
  system mtu routing 1500
  ip routing
  no ip domain-lookup
  ip domain-name EVS.com
  ip device tracking
  epm logging
  dot1x system-auth-control
  interface FastEthernet0/1
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   --More--         authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip tacacs source-interface Vlan10
  ip radius source-interface Vlan10 vrf default
  logging trap critical
  logging origin-id ip
  logging 172.16.5.95
  logging host 172.16.95.x transport udp port 20514
  logging host 172.16.95.x transport udp port 20514
  snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
  snmp-server view EVS-view internet included
  snmp-server community S1n2M3p4$ RO
  snmp-server community cisco RO
  snmp-server trap-source Vlan10
  snmp-server source-interface informs Vlan10
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
   --More--         snmp-server enable traps tty
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps envmon fan shutdown supply temperature status
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps bridge newroot topologychange
  snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification change move threshold
  snmp-server enable traps vlan-membership
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.5.x version 3 auth evsnetadmin
  tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
  tacacs-server directed-request
   --More--         tacacs-server key 7 107D580E573E411F58277F2360
  tacacs-server administration
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 25 access-request include
  radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
  radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
  radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
  radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
  radius-server timeout 2
  radius-server key 7 060506324F41
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
   exec-timeout 5 0
   privilege level 15
   logging synchronous
   login authentication CONSOLE
  line vty 0 4
   access-class telnet_access in
   exec-timeout 0 0
   logging synchronous
   --More--         login authentication ACS
   transport input ssh

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Cisco ISE doesn`t send packets to AD

  Hello!
  I`ve tried to configure authentication through AD. Intergation Cisco ISE with AD is successful and I can retrive all groups from AD. I`ve configured dot1X authentication (Policy>Authentication) to use at first AD, then Internal Users.I`ve configured the rule for one group in authorization policy (Policy>Authorization), I`ve added this group from AD (Administration> Identty Management> External Identity Sources> Active Directory> Groups).
  When the user tries to connect to LAN and enters credentials from AD, Cisco ISE always uses only Internal Identity Source and doesn`t try to seach user in AD.  I don`t see any packets to AD in Operations>Authentication and TCP Dump, Cisco ISE only checks Internal Identity Source.
  Does anybody know how to solve this problem?
  Thank you!

  Problem was in wrong configuration Authentication.
  Now I have the folowing problem, ISE can`t authenticate wired guest user through Central Web Access.
  Guest Portal sends message about succeful authentication and after that redirect again in Guest Portal.
  I have two rules in Policy>Authorization (attach: Auth).
  In Operations>Authentication I see folowing (attach: Guest)
  In defaultguestportal I have "Both" authentication and sequence from 3 Identity Stores (Intetnal Users, Internal Endpoint, AD)

• Logical Profiles in ISE 1.2

  I created a logical profiles group that is assigned with the Apple-ipad, Apple-iPhone and Apple-iDevice policies. Now ISE will not update the feed policies for the three devices. This is the message that I recieved from ISE when it does it Feed Polices update, I use the logical profiles group matching for authentication and authorization. Is there any way for me to update these feed polices? Thanks for the help!!
  Feed Version 1 policies downloaded.
  Total number of feed polices to apply are 3.
  Feed policies total 3 skipped.
  Feed policies warning message : Apple-Device has been changed by admin.
  Apple-Device:Apple-iDevice has been changed by admin.
  Apple-Device:Apple-iPad has been changed by admin.

  Hello Toua,
  Please Verify switch configuration for those network segments where endpoints are not being appropriately profiled to ensure that:
  •The required information to profile the endpoint is being sent to Cisco ISE for it to profile.
  •Probes are configured on the network Policy Service node entities.
  •Verify that packets are received at the Cisco ISE profiler module by running the tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General Tools > Tcpdump.
  Note If you are observing this issue with endpoints on a WAN collected by HTTP, Netflow, and NMAP, ensure that the endpoint IP address has been updated with a RADIUS/DHCP Probe before other attributes are updated using the above probes
  For more information, please visit the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192504

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 and EAP-MD5

  Hi,
  I have HP procurve switches that need to get authenticated with EAP-MD5 but I cant get it to work in ISE 1.2 with patch 2.
  We have tried all combination for EAP-MD5 in allowed protocols but get the same message when trying to authenticate.
  The ISE deployemnt do not run in FIPS-140 2 mode.
  And when using the switch with NPS we get this to work, so switch configuration is ok.
  Failure Reason:  12003 Failed to negotiate EAP because EAP-MD5 not allowed in the Allowed Protocols
  Resolution: Ensure that the EAP-MD5 protocol is allowed by ISE in Allowed Protocols.
  Root cause :The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-MD5 instead. However, EAP-MD5 is not allowed in Allowed Protocols.
  Any thoughts on this?
  Cheers

  Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols
  Select EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.
  Save the Allowed Protocol service.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

• ISE 1.2 Error Messages

  Hi forum,
  We have an ISE deployment that we are lab testing.
  This is running v1.2.0.899 with Patch 2 installed.
  We have an authC policy configured for domain-joined computers for 802.1x and domain credentials:
       Condition: Wired_802.1X
       Allow Protocols: PEAP_CHAPv2
       Use: AD
  This works, and authenticates both the machine (pre-login) and user (post-login).
  However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.
  These messages are not shown in the Cisco ISE Log Messages spreadsheet!
      5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.
      5405 RADIUS Request dropped
      5440 Endpoint abandoned EAP session and started new
  Has anybody else exxperienced this or can explain why I am seeing this behaviour?
  All helpful responses rated!
  Thanks Ash.

  This is an external defect but duplicate of
  CSCui21439    message texts do not reflect 1.2 added/modified value
  I'm going to paste the description/content here from the defect.
  Environment:
  Build: 1.2.0.891
  install from iso and configured from scratch.
  Deployment:
  Node1: pri(A), Pri(M),PDP
  Node2: Sec(A)
  Node3: Sec(M)
  Node4: PDP
  Node5: PDP
  Node4 and Node5 were placed in node group.
  Procedure:
  1. configured multiple nics on node4 and node5 with ip address and host alias.
  2. Configured policy sets to serve requests coming for eth0 and eth1.
  3. tried round-trips ( BYOD flows ) with both eth0 and eth1.
  Observation:
  1. Under live authentications page, admin could see events which are having below failure reasons without event details ( i.e. event column is blank )
  "5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session."
  "5440 Endpoint abandoned EAP session and started new"
  2. But under Operations -- > Reports -- > Auth service status --- > Radius errors report, event details  are getting appeared
  so the problem is in reports admin could able to see event details for above failure reasons but not in live authentications page.
  so, there is no functional impact as admin could see event details from reports section.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE 1.2 Patch 12

  Hi all,
  I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
  None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
  "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
  Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
  I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
  Any info out there about 5441 before I log a TAC?????
  Thanks.

  Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
  It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
  Event
  5400 Authentication failed
  Failure Reason
  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
  Resolution
  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
  Root cause
  Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

• Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD

  With Eric Yu and Todd Pula 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions  about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.
  Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE). 
  Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.
  Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.   
  Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.
  Remember to use the rating system to let Eric and Todd know if you have received an adequate response.
  Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Antonio,
  Many great questions to start this series.  For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent?  Does the problem happen for one WLAN but not another?  As it stands today, the CoA-Ack needs to be initiated by the management interface.  This limitation is documented in bug CSCuj42870.  I have provided a link for your reference below.  If the problem happens 100% of the time, the two configuration areas that I would check first include:
  On the WLC, navigate to Security > RADIUS > Authentication.  Click on the server index number for the associated ISE node.  On the edit screen, verify that the Support for RFC 3576 option is enabled.
  On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question.  On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked.  When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface.  Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface.  As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
  Bug Info:  https://tools.cisco.com/bugsearch/bug/CSCuj42870
  For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request.  We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered.  Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers.  For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.
  As for product roadmap questions, we won't be able to discuss this here due to NDA.  Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.
  Related Info:
  Wireless BYOD for FlexConnect Deployment Guide

• ISE v1.1 NAD 6500 failed to decrypt Key......

  Hello everyone ,
  I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
  My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
  Here is the network topology:
  DNSs are fully resolvable forward and reverse zone and  ISEs, AD, WLC and SW Core are synched with the same NTP server.
  As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
  This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
  Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
  Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
  Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 17:41:00.226: RADIUS:  authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
  Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
  Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:00.226: RADIUS: request  authen: 41EAE3A7DAEE6332CE646436F949C5A1
  Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
  Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
  Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
  Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 17:41:05.114: RADIUS:  authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
  Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
  Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:05.114: RADIUS: request  authen: 41EAE3A7DAEE6332CE646436F949C5A1
  Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
  Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
  Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
  Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
  Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
  I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
  I have already reviewed the following links:
  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
  http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
  And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
  Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
  ISE version: 1.1.0.665
  ADE OS: 2
  Active Directory: Windows 2008 R2 Standard
  6500 SW Config:
  Building configuration...
  Current configuration : 65413 bytes
  ! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
  ! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
  version 15.0
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service compress-config
  service counters max age 5
  boot-start-marker
  boot system flash bootdisk:
  boot-end-marker
  logging buffered 64000
  enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
  username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
  username test-radius password 7 14141B180F0B7B7977
  aaa new-model
  aaa authentication login Tr3s41ia.2012 local
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa server radius dynamic-author
  client 172.16.3.5 server-key 7 110A1016141D5A5E57
  aaa session-id common
  platform ip cef load-sharing ip-only
  platform rate-limit layer2 port-security pkt 300 burst 10
  clock timezone MXInv -6
  clock summer-time MXVerano recurring
  authentication critical recovery delay 1000
  interface GigabitEthernet8/1
  switchport
  switchport access vlan 2
  switchport mode access
  ip access-group ACL_ISE_Default in
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  spanning-tree portfast edge
  ip default-gateway 172.16.3.2
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip route 0.0.0.0 0.0.0.0 172.16.3.2
  ip radius source-interface Vlan3 vrf default
  logging origin-id ip
  logging source-interface Vlan3
  logging host 172.16.3.5 transport udp port 20514
  snmp-server group Tr3s41ia.2012aes v3 priv
  snmp-server group Tr3s41ia.2012md5 v3 auth
  snmp-server community public RO
  snmp-server community tresaliarw RW
  snmp-server community tresaliaro RO
  snmp-server trap-source Vlan3
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps memory bufferpeak
  no snmp-server enable traps entity-sensor threshold
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps flash insertion removal
  snmp-server enable traps mac-notification move change
  snmp-server enable traps errdisable
  snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
  snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
  snmp-server host 172.16.3.5 version 2c tresaliaro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  service-policy input policy-default-autocopp
  line con 0
  logging synchronous
  login authentication Tr3s41ia.2012
  line aux 0
  line vty 0 4
  login authentication defaulTr3s41ia.2012
  transport input ssh
  line vty 5 1509
  login authentication defaulTr3s41ia.2012
  transport input ssh
  ntp clock-period 17179836
  ntp peer 172.16.4.9
  no event manager policy Mandatory.go_switchbus.tcl type system
  end
  Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
  I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
  Any help, hint or direction will be really appreciated.
  Thanks in advanced for your time. Best Regards.

  Hello Tarik, thanks for your response,
  I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
  I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
  Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
  Sep 12 20:42:59.713: RADIUS(00000000): sending
  Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
  Sep 12 20:42:59.713: RADIUS:  authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
  Sep 12 20:42:59.713: RADIUS:  User-Password       [2]   18  *
  Sep 12 20:42:59.713: RADIUS:  User-Name           [1]   6   test
  Sep 12 20:42:59.713: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Sep 12 20:42:59.713: RADIUS:  NAS-IP-Address      [4]   6   172.16.3.1               
  Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
  Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
  Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 20:43:14.489: RADIUS:  authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
  Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
  Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
  Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
  Sep 12 20:43:14.489: RADIUS: request  authen: 24523041B70674CEC74B7BFF8788F723
  Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
  And here are the results from the Operations/Authentications Tabe from ISE:
  There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
  So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
  Thanks in advanced for your time and comments.

• ISE v1.2 - Status-Server - 5405 RADIUS Request dropped

  Just a note:
  Some devices send regular RADIUS status messages;
  The ISE drops these as 
  Event: 5405 RADIUS Request dropped
  Failure Reason: 11031 RADIUS packet type is not a valid Request
  Root cause: RADIUS packet type is not a valid Request.
  Wireshark shows:-
  Code: Status-Server (12)
  Attribute Value Pairs:
  AVP: l=6  t=Service-Type(6): Shell-User(6)
  AVP: l=18  t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
  AVP: l=6  t=NAS-IP-Address(4): 10.1.1.1
  I believe that ISE should accept and respond to these messages RFC5997  up2866.
  A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port).  An Access-Challenge response is NOT RECOMMENDED.  An Access-Reject response MAY be used.

  Neno
  Nothing to do with that,
  The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.
  However they send keepalives to validate the RADIUS server is still there.  ISE doesn't implement this and ISE logs get full of rejections.  The end devices are unable to prioritise which ISE to used based on up/down.  But still work.
  This was just a note to everyone so they are aware of the issue,

• Q: How can ISE 1.2 be configured to display "IP Address" in the Operations-Authentication view ?

  Hi Forum !
  I have several ISE installations running, and I have come across an Issue, that may or may not be a real issue.
  How can ISE 1.2 and/or the WLC be configured to display "IP Address" in the Operations-Authentication view ?
  I simply can not see any IP address in this field, when the dot1x Authentication is done on a WLC.
  This may be "works as designed" due to the fact that dot1x runs before the IP is assigned, but then again I do get profiler date etc, and hence I would expect the IP to be displayed.
  Please see attachment for clarification of the field in the ISE dashboard.
  FYI
  I do see IP in WIRED dot1x senarios, but then again I run LowImpact modes, as opposed to CloseMode in the WiFi senarios
  I have the same ono WLC OS 7.0, aswell as on 7.5 & 7.6 (i.e. no IP address shown in dashboard)
  Have Fun !
  Regards
  Martin

  I have seen this before but never really bothered to look more into it. It has always showed for wired but not wireless. I did some digging and it appears that the "framed-ip-address" is being sent/honored by the NAS in the "access-accept" packet.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0101001.html#ID676
  Why is it not showing in ISE's screen is now another quesiton. I would say a bug but I recall this since the 1.0 days and I have done several deployments. Perhaps Cisco can chime in here or if you can open a TAC case and report back your findings :)
  Thank you for rating helpful posts!

• ISE 1.2 - Guest Services

  Hi All,
  I'm planning to setup Cisco ISE - GNAC services and I want to know how the licenses work for this service. Will ISE count a license for each guest user connected?
  also I have another question regarding WAN latency between personas. What's the MAX?
  Thanks in advance,
  Elyinn.-

  Elyinn,
  Yes, each Guest User counts against the license.  Here is a snippet from the link that was given earlier:
  "License Count
  The Cisco ISE license is counted as follows:
  A Base or Advanced license is consumed based on the feature that is utilized.
  An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
  Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received."
  As you can see, a single device can consume more than 1 license depending on the features you have set on your network.
  As far as Max Latency between WAN Links, that number is 200ms.  Anything longet than than can result in drops or corruption in packets.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton