I have an issue where a remote company has there internal redius server and I have my ISE radius server.
When there users come to my site, they can authenticate with my wireless and my ISE server proxies the request to there home site to be authenticated and tells me if I should allow them access or not.
So standard radius proxy and it all works well when my ISE server begins the exchange.
However if my staff go to there site the reverse is not working, they are proxying the requests back OK, and I can see on the firewall and router the incomming radius packets destined to my ISE server. But there is no recourd on the ISE server of ever reciving them and it all times out.
Is tehre some thing I need to do to allow ISE to act as the client in a radius proxy set up?
Check the Cisco ISE dashboard (Operations > Authentications) for any indication regarding the nature of RADIUS communication loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.)
Log into the Cisco ISE CLI5 and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:
test aaa group radius new-code
If this test command is successful, you should see the following attributes:
Connect NAD IP address
Connect Policy Service node IP address
Correct server key
Recognized username or password
Connectivity between the NAD and Policy Service node
You can also use this command to help narrow the focus of the potential problem with RADIUS communication by deliberately specifying incorrect parameter values in the command line and then returning to the administrator dashboard (Operations > Authentications) to view the type and frequency of error message entries that result from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Operations > Authentications page to see what Cisco ISE is reporting.)
Note This command does not validate whether or not the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to use the new AAA model.
The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.
Verify that the switch RADIUS configuration for this device is correct and features the appropriate command(s).
For more details please go through the following link:
ISE can acts as a RADIUS proxy server by proxying the requests from a network access device (NAD) to a RADIUS server. The RADIUS server processes the request and returns the result to Cisco ISE. Cisco ISE then sends the response to the NAD
you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...