ISE vs Packet Fence
Hello,
I'm currently studying a solution for AAA in my company. Since I've got an almost full Cisco network architecture, I've read a lot about ISE.
But recently I hear about Packet Fence, an open source project which seems to offer the same features.
So I'd like to get some of your advices about this software against ISE : is it worth it to get it ? What are advantages and drawbacks of this one ?
Since we're on a Cisco forum i'm not expecting you to tell me that Packet Fence is better, but I'd just like to get objective reviews.
Thankfully,
Yoshipower.
Hi Ravi,
I am also looking at the same options and I was heading entirely in the ISE direction until I realised that there is not full support for non-WLC WiFi systems. So since I have an AP1141 this seems to mean that I would be as well to go with Packet Fence as the best I will get from either solution is basic 802.1x authentication?
Footnote number 4 on Table 1 of this document seems to cover most of the limitations:-
http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
"Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB)."
So based on the above the ISE is not able to offer me profiling services or CoA. And I can only get posture support if I have an inline node everywhere that I have an AP?
Thanks
David
Similar Messages
-
No, because you are doing something new and uncharted. But the rules are in (doing from memory) /usr/local/pf/conf (somewhere) there is the iptables template that gets copied to the correct location in /etc/sysconf/iptables.
I can dig around in my test system in the AM to locate the correct file. But that is the location they were in.You would not do this in packet fence directly, there is no facility for that.Think about what packet fence is acting like... a gated router. Since it is running inline mode it acts like a route with an entrance control. While I have never done this with pf, you might want to check into transparent proxying. This uses firewall rules to redirect internet bound traffic to/through a proxy server.To do this under linux you can craft specific iptable rules to create the redirect. http://www.tldp.org/HOWTO/TransparentProxy-6.htmlUnderstand that pf also manages the firewall rules so you will need to add your rules to the pf configuration files. The main linux iptables are rewritten every time pf starts. So you must put them in the proper place to retain the settings during a restart.While debugging I would update the pf rules directly,...
-
Cisco ISE 1.3 MAB authentication.. switch drop packet
Hello All,
I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
and ISE 1.3 versoin..
MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
while some ports are working perfectly..
Same switch configuration is working perfectly on another switch without any issue..
Switch configuration for your suggestion..!!
aaa new-model
aaa authentication fail-message ^C
**** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
^C
aaa authentication login CONSOLE local
aaa authentication login ACS group tacacs+ group radius local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+ group radius
aaa server radius dynamic-author
client 172.16.95.x server-key 7 02050D480809
client 172.16.95.x server-key 7 14141B180F0B
aaa session-id common
clock timezone IST 5 30
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name EVS.com
ip device tracking
epm logging
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
--More-- authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip tacacs source-interface Vlan10
ip radius source-interface Vlan10 vrf default
logging trap critical
logging origin-id ip
logging 172.16.5.95
logging host 172.16.95.x transport udp port 20514
logging host 172.16.95.x transport udp port 20514
snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
snmp-server view EVS-view internet included
snmp-server community S1n2M3p4$ RO
snmp-server community cisco RO
snmp-server trap-source Vlan10
snmp-server source-interface informs Vlan10
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
--More-- snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.5.x version 3 auth evsnetadmin
tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
tacacs-server directed-request
--More-- tacacs-server key 7 107D580E573E411F58277F2360
tacacs-server administration
radius-server attribute 6 on-for-login-auth
radius-server attribute 25 access-request include
radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
radius-server timeout 2
radius-server key 7 060506324F41
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication CONSOLE
line vty 0 4
access-class telnet_access in
exec-timeout 0 0
logging synchronous
--More-- login authentication ACS
transport input ssh24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
Cisco ISE doesn`t send packets to AD
Hello!
I`ve tried to configure authentication through AD. Intergation Cisco ISE with AD is successful and I can retrive all groups from AD. I`ve configured dot1X authentication (Policy>Authentication) to use at first AD, then Internal Users.I`ve configured the rule for one group in authorization policy (Policy>Authorization), I`ve added this group from AD (Administration> Identty Management> External Identity Sources> Active Directory> Groups).
When the user tries to connect to LAN and enters credentials from AD, Cisco ISE always uses only Internal Identity Source and doesn`t try to seach user in AD. I don`t see any packets to AD in Operations>Authentication and TCP Dump, Cisco ISE only checks Internal Identity Source.
Does anybody know how to solve this problem?
Thank you!Problem was in wrong configuration Authentication.
Now I have the folowing problem, ISE can`t authenticate wired guest user through Central Web Access.
Guest Portal sends message about succeful authentication and after that redirect again in Guest Portal.
I have two rules in Policy>Authorization (attach: Auth).
In Operations>Authentication I see folowing (attach: Guest)
In defaultguestportal I have "Both" authentication and sequence from 3 Identity Stores (Intetnal Users, Internal Endpoint, AD) -
Logical Profiles in ISE 1.2
I created a logical profiles group that is assigned with the Apple-ipad, Apple-iPhone and Apple-iDevice policies. Now ISE will not update the feed policies for the three devices. This is the message that I recieved from ISE when it does it Feed Polices update, I use the logical profiles group matching for authentication and authorization. Is there any way for me to update these feed polices? Thanks for the help!!
Feed Version 1 policies downloaded.
Total number of feed polices to apply are 3.
Feed policies total 3 skipped.
Feed policies warning message : Apple-Device has been changed by admin.
Apple-Device:Apple-iDevice has been changed by admin.
Apple-Device:Apple-iPad has been changed by admin.Hello Toua,
Please Verify switch configuration for those network segments where endpoints are not being appropriately profiled to ensure that:
•The required information to profile the endpoint is being sent to Cisco ISE for it to profile.
•Probes are configured on the network Policy Service node entities.
•Verify that packets are received at the Cisco ISE profiler module by running the tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General Tools > Tcpdump.
Note If you are observing this issue with endpoints on a WAN collected by HTTP, Netflow, and NMAP, ensure that the endpoint IP address has been updated with a RADIUS/DHCP Probe before other attributes are updated using the above probes
For more information, please visit the following link:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192504 -
ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe
Hello guys
Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
Thanks in advance
SayreHello Sayre-
For Question #1:
Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
You can configure Radius and Profiling to be enabled on other interfaces
Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
Take a look at this link for more info:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
For Question #2
If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations.
The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
–Option 12—HostName of the client
–Option 60—The Vendor Class Identifier
After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
I hope this helps!
Thank you for rating helpful posts! -
Hi,
I have HP procurve switches that need to get authenticated with EAP-MD5 but I cant get it to work in ISE 1.2 with patch 2.
We have tried all combination for EAP-MD5 in allowed protocols but get the same message when trying to authenticate.
The ISE deployemnt do not run in FIPS-140 2 mode.
And when using the switch with NPS we get this to work, so switch configuration is ok.
Failure Reason: 12003 Failed to negotiate EAP because EAP-MD5 not allowed in the Allowed Protocols
Resolution: Ensure that the EAP-MD5 protocol is allowed by ISE in Allowed Protocols.
Root cause :The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-MD5 instead. However, EAP-MD5 is not allowed in Allowed Protocols.
Any thoughts on this?
CheersChoose Policy > Policy Elements > Results >Authentication > Allowed Protocols
Select EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.
Save the Allowed Protocol service.
~BR
Jatin Katyal
**Do rate helpful posts** -
ISE 1.2, Supplicant configured for 802.1x but need to MAB
I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
Thanks in advanceMaybe the held-period and quite-period parameters would help. I would not change the TX period to anything shorter than 10 seconds. Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds.
Read this doc for best pratices including the timers listed below.
I hope this link works. http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
If not goto www.ciscolive365.com (signup if you havn't already) and search for
"BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
Change the dot1x hold, quiet, and ratelimit-period to 300.
held-period seconds
Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
quiet-period seconds
Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
ratelimit-period seconds
Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled. -
Hi forum,
We have an ISE deployment that we are lab testing.
This is running v1.2.0.899 with Patch 2 installed.
We have an authC policy configured for domain-joined computers for 802.1x and domain credentials:
Condition: Wired_802.1X
Allow Protocols: PEAP_CHAPv2
Use: AD
This works, and authenticates both the machine (pre-login) and user (post-login).
However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.
These messages are not shown in the Cisco ISE Log Messages spreadsheet!
5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.
5405 RADIUS Request dropped
5440 Endpoint abandoned EAP session and started new
Has anybody else exxperienced this or can explain why I am seeing this behaviour?
All helpful responses rated!
Thanks Ash.This is an external defect but duplicate of
CSCui21439 message texts do not reflect 1.2 added/modified value
I'm going to paste the description/content here from the defect.
Environment:
Build: 1.2.0.891
install from iso and configured from scratch.
Deployment:
Node1: pri(A), Pri(M),PDP
Node2: Sec(A)
Node3: Sec(M)
Node4: PDP
Node5: PDP
Node4 and Node5 were placed in node group.
Procedure:
1. configured multiple nics on node4 and node5 with ip address and host alias.
2. Configured policy sets to serve requests coming for eth0 and eth1.
3. tried round-trips ( BYOD flows ) with both eth0 and eth1.
Observation:
1. Under live authentications page, admin could see events which are having below failure reasons without event details ( i.e. event column is blank )
"5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session."
"5440 Endpoint abandoned EAP session and started new"
2. But under Operations -- > Reports -- > Auth service status --- > Radius errors report, event details are getting appeared
so the problem is in reports admin could able to see event details for above failure reasons but not in live authentications page.
so, there is no functional impact as admin could see event details from reports section.
~BR
Jatin Katyal
**Do rate helpful posts** -
Hi all,
I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
"5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
Any info out there about 5441 before I log a TAC?????
Thanks.Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
Event
5400 Authentication failed
Failure Reason
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution
Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause
Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late. -
Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD
With Eric Yu and Todd Pula
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.
Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE).
Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.
Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.
Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.
Remember to use the rating system to let Eric and Todd know if you have received an adequate response.
Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hi Antonio,
Many great questions to start this series. For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent? Does the problem happen for one WLAN but not another? As it stands today, the CoA-Ack needs to be initiated by the management interface. This limitation is documented in bug CSCuj42870. I have provided a link for your reference below. If the problem happens 100% of the time, the two configuration areas that I would check first include:
On the WLC, navigate to Security > RADIUS > Authentication. Click on the server index number for the associated ISE node. On the edit screen, verify that the Support for RFC 3576 option is enabled.
On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question. On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked. When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface. Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface. As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
Bug Info: https://tools.cisco.com/bugsearch/bug/CSCuj42870
For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request. We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered. Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers. For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.
As for product roadmap questions, we won't be able to discuss this here due to NDA. Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.
Related Info:
Wireless BYOD for FlexConnect Deployment Guide -
ISE v1.1 NAD 6500 failed to decrypt Key......
Hello everyone ,
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
Here is the network topology:
DNSs are fully resolvable forward and reverse zone and ISEs, AD, WLC and SW Core are synched with the same NTP server.
As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:00.226: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:05.114: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
I have already reviewed the following links:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
ISE version: 1.1.0.665
ADE OS: 2
Active Directory: Windows 2008 R2 Standard
6500 SW Config:
Building configuration...
Current configuration : 65413 bytes
! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service counters max age 5
boot-start-marker
boot system flash bootdisk:
boot-end-marker
logging buffered 64000
enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
username test-radius password 7 14141B180F0B7B7977
aaa new-model
aaa authentication login Tr3s41ia.2012 local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 172.16.3.5 server-key 7 110A1016141D5A5E57
aaa session-id common
platform ip cef load-sharing ip-only
platform rate-limit layer2 port-security pkt 300 burst 10
clock timezone MXInv -6
clock summer-time MXVerano recurring
authentication critical recovery delay 1000
interface GigabitEthernet8/1
switchport
switchport access vlan 2
switchport mode access
ip access-group ACL_ISE_Default in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast edge
ip default-gateway 172.16.3.2
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.3.2
ip radius source-interface Vlan3 vrf default
logging origin-id ip
logging source-interface Vlan3
logging host 172.16.3.5 transport udp port 20514
snmp-server group Tr3s41ia.2012aes v3 priv
snmp-server group Tr3s41ia.2012md5 v3 auth
snmp-server community public RO
snmp-server community tresaliarw RW
snmp-server community tresaliaro RO
snmp-server trap-source Vlan3
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps memory bufferpeak
no snmp-server enable traps entity-sensor threshold
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification move change
snmp-server enable traps errdisable
snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
snmp-server host 172.16.3.5 version 2c tresaliaro
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
service-policy input policy-default-autocopp
line con 0
logging synchronous
login authentication Tr3s41ia.2012
line aux 0
line vty 0 4
login authentication defaulTr3s41ia.2012
transport input ssh
line vty 5 1509
login authentication defaulTr3s41ia.2012
transport input ssh
ntp clock-period 17179836
ntp peer 172.16.4.9
no event manager policy Mandatory.go_switchbus.tcl type system
end
Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
Any help, hint or direction will be really appreciated.
Thanks in advanced for your time. Best Regards.Hello Tarik, thanks for your response,
I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): sending
Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
Sep 12 20:42:59.713: RADIUS: authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
Sep 12 20:42:59.713: RADIUS: User-Password [2] 18 *
Sep 12 20:42:59.713: RADIUS: User-Name [1] 6 test
Sep 12 20:42:59.713: RADIUS: Service-Type [6] 6 Login [1]
Sep 12 20:42:59.713: RADIUS: NAS-IP-Address [4] 6 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
Sep 12 20:43:14.489: RADIUS: authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: request authen: 24523041B70674CEC74B7BFF8788F723
Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
And here are the results from the Operations/Authentications Tabe from ISE:
There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
Thanks in advanced for your time and comments. -
ISE v1.2 - Status-Server - 5405 RADIUS Request dropped
Just a note:
Some devices send regular RADIUS status messages;
The ISE drops these as
Event: 5405 RADIUS Request dropped
Failure Reason: 11031 RADIUS packet type is not a valid Request
Root cause: RADIUS packet type is not a valid Request.
Wireshark shows:-
Code: Status-Server (12)
Attribute Value Pairs:
AVP: l=6 t=Service-Type(6): Shell-User(6)
AVP: l=18 t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
AVP: l=6 t=NAS-IP-Address(4): 10.1.1.1
I believe that ISE should accept and respond to these messages RFC5997 up2866.
A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port). An Access-Challenge response is NOT RECOMMENDED. An Access-Reject response MAY be used.Neno
Nothing to do with that,
The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.
However they send keepalives to validate the RADIUS server is still there. ISE doesn't implement this and ISE logs get full of rejections. The end devices are unable to prioritise which ISE to used based on up/down. But still work.
This was just a note to everyone so they are aware of the issue, -
Hi Forum !
I have several ISE installations running, and I have come across an Issue, that may or may not be a real issue.
How can ISE 1.2 and/or the WLC be configured to display "IP Address" in the Operations-Authentication view ?
I simply can not see any IP address in this field, when the dot1x Authentication is done on a WLC.
This may be "works as designed" due to the fact that dot1x runs before the IP is assigned, but then again I do get profiler date etc, and hence I would expect the IP to be displayed.
Please see attachment for clarification of the field in the ISE dashboard.
FYI
I do see IP in WIRED dot1x senarios, but then again I run LowImpact modes, as opposed to CloseMode in the WiFi senarios
I have the same ono WLC OS 7.0, aswell as on 7.5 & 7.6 (i.e. no IP address shown in dashboard)
Have Fun !
Regards
MartinI have seen this before but never really bothered to look more into it. It has always showed for wired but not wireless. I did some digging and it appears that the "framed-ip-address" is being sent/honored by the NAS in the "access-accept" packet.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0101001.html#ID676
Why is it not showing in ISE's screen is now another quesiton. I would say a bug but I recall this since the 1.0 days and I have done several deployments. Perhaps Cisco can chime in here or if you can open a TAC case and report back your findings :)
Thank you for rating helpful posts! -
ISE 1.2 - Guest Services
Hi All,
I'm planning to setup Cisco ISE - GNAC services and I want to know how the licenses work for this service. Will ISE count a license for each guest user connected?
also I have another question regarding WAN latency between personas. What's the MAX?
Thanks in advance,
Elyinn.-Elyinn,
Yes, each Guest User counts against the license. Here is a snippet from the link that was given earlier:
"License Count
The Cisco ISE license is counted as follows:
A Base or Advanced license is consumed based on the feature that is utilized.
An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received."
As you can see, a single device can consume more than 1 license depending on the features you have set on your network.
As far as Max Latency between WAN Links, that number is 200ms. Anything longet than than can result in drops or corruption in packets.
I hope this helps.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
Maybe you are looking for
-
If I right click on a downloadable photo on a website and ask to save, nothing happens, sometimes a dialogue box will ask me if I want to save it, I select yes but nothing happens. The same if I go to the menu in Firefox browser and ask to save a pag
-
Recently i updated my macbookpro software to mac os x 10.6.8, after update CPU fan is running non stop even when laptop is idle and laptop is getting more heat thn laptop is too slow,videos are playing very slowly.its very weird. some one encountered
-
Where is Bookmarks Navigation Pane in Acrobat 9.3.4 Pro
I have done everything I can think of to get the bookmarks navigation pane icon in the nav panel the way it used to be, but the bookmarks dialogue box list just floats on the main page. How can I do this? Also if it only floats in this version of 9 P
-
Contact name and picture not showing up.
When i am receiving a call, the contact's name nor picture shows up. Their ringtone also does not play. Can anyone help me out on how to solve this problem? PLEASE!!!
-
Activity types rate Project wise
Is it possible to define activity type rate project (PS) wise since rate is different for each project due to its nature aor any other mechanism by which i can capture