Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE Could not locate Network Device or AAA Client

When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address.  Could this be causing the problem?

 

Here is the config of the port that I'm testing on:

 

interface GigabitEthernet1/0/9
 switchport access vlan 9
 switchport mode access
 switchport voice vlan 8
 ip access-group ACL-ALLOW in
 srr-queue bandwidth share 1 30 35 5
 queue-set 2
 priority-queue out
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 4
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 10
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

 

 

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Whatever IP address you

Whatever IP address you entered in ISE when adding this switch, must match the IP address of the interface configured under your "ip radius source-interface" command. In your first post you said that you are using an SVI for this but in your later post I can see that your Radius packets are being sourced from "interface TenGigabitEthernet1/0/1" Doublecheck this and make sure things match. 

If you do have Loopback interface configured then it is highly recommended that you use it to source such services from it (Radius, TACACS+, SNMP, Syslog, etc). 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
4 REPLIES
New Member

A few troubleshooting

A few troubleshooting questions..

 

Is that vlan accessable/reachable by ISE?

Can you ping it?

Are you allowing ISE to speak snmp and RADIUS to the NAD?

Do the snmp passswords match?

 

New Member

I can ping both the vlan and

I can ping both the vlan and the endpoint from the ISE.  As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.

 

I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.

 

aaa new-model
aaa authentication dot1x default group radius
aaa authentication dot1x defualt group radius
aaa authentication dot1x group group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
aaa session-id common

 

ip radius source-interface TenGigabitEthernet1/0/1
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
radius-server vsa send accounting
radius-server vsa send authentication

 

dot1x system-auth-control
 authentication order dot1x mab
 authentication priority dot1x mab
 dot1x pae authenticator
 dot1x timeout tx-period 10

 

 

 

 

 

 

Cisco Employee

Whatever IP address you

Whatever IP address you entered in ISE when adding this switch, must match the IP address of the interface configured under your "ip radius source-interface" command. In your first post you said that you are using an SVI for this but in your later post I can see that your Radius packets are being sourced from "interface TenGigabitEthernet1/0/1" Doublecheck this and make sure things match. 

If you do have Loopback interface configured then it is highly recommended that you use it to source such services from it (Radius, TACACS+, SNMP, Syslog, etc). 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

This happens when there is

This happens when there is mismatch between device ip and NAS ip

2055
Views
5
Helpful
4
Replies
CreatePlease login to create content