Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1558
Views
5
Helpful
2
Replies

ISE server receives authentication requests from the VLAN gateway, not from the switch management IP

Go to solution
kuzminsk1
Level 1
Level 1

ā€Ž06-23-2016 04:10 AM - edited ā€Ž03-10-2019 11:53 PM

Hi 

A catalyst 3850 switch has VLAN 20 (10.18.4.32/29) defined on it, which has a gateway of 10.18.4.38:

BWY-01-D01#show ip int brief vlan 20
Interface IP-Address OK? Method Status Protocol
Vlan20 10.18.4.38 YES manual up up

An ISE server (SNS3415) is connected to an access port configured on VLAN 20, with the IP address of 10.18.4.33.

BWY-01-D01 has a management interface of 10.18.4.17.

i have created this switch as a network device in ISE and enabled RADIUS config, then configured the switch with the following commands:

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.18.4.33 auth-port 1812 acct-port 1813 key 7 1521030916792F077C236436125657
radius-server host 10.18.4.35 auth-port 1812 acct-port 1813 key 7 02350C5E19550B02185E580D044653

ip radius source-interface GigabitEthernet1/0/1

The problem:

when i test RADIUS functionality using the following command, it fails. HOWEVER, the clien device (switch) IP address that is shown in the error log in the gateway of VLAN 20 (!):

test aaa group radius server 10.18.4.33 auth-port 1812 acct-port 1813 radius-user Capita123! new-code

10.18.4.38 is the gateway IP address of the VLAN that hosts the ISE servers, i dont understand why its listed in the error logs as device IP!

ource Timestamp 2016-06-22 16:38:02.826
Received Timestamp 2016-06-22 16:38:02.841
Policy Server GLS-ISE-01
Event 5413 RADIUS Accounting-Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Service Type Framed
NAS IPv4 Address 10.18.4.38

 

Other Attributes

ConfigVersionId 118
Device Port 1646
DestinationPort 1813
Protocol Radius
Acct-Status-Type Interim-Update
Acct-Delay-Time 15
Acct-Session-Id 00000000
Acct-Authentic RADIUS
AcsSessionID GLS-ISE-01/255868885/32
Device IP Address 10.18.4.38

If i reconfigure the switch in ISE - Network Devices and give it the IP of 10.18.4.38 (the gateway ip), my radius athentication tests suddenly become successful.

can anyone clarify what is happening here? 

i need to be able to define multiple switches by their unique IP addresses. 

Thanks for you time

m

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž06-23-2016 04:59 AM

Hi

The only time I saw that issue was because of using a deprecated command: radius-server host.  There was a bug on IOS XR platform as well.

Could you please reconfigure your radius command by using the new command: radius server? And test again?

The Cisco doc for the new command:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž06-23-2016 04:59 AM

Hi

The only time I saw that issue was because of using a deprecated command: radius-server host.  There was a bug on IOS XR platform as well.

Could you please reconfigure your radius command by using the new command: radius server? And test again?

The Cisco doc for the new command:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
kuzminsk1
Level 1
Level 1
In response to Francesco Molino

ā€Ž07-21-2016 08:47 AM

just in case anyone else has this problem - it was caused by incorrect "ip radius source-interface <interface>" 

instead of listing the physical port the ISE server connected to the switch on (Gi1/0/1) i used the management VLAN of the switch interfaces:

ip radius source-interface vlan 10

which resolved the issue

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents