I am using a stange issue in my environment. I use ISE 1.2 fo as radius server for device management/authentication(Not NAC usage). I am having Cisco c6509E VSS as core device. The device was added to ISE and aaa auth was working fine. I changed IP address of switch during my DC migration. Since then AAA fail for thsi device. ISE report and TCPdump shows old IP. My wireshard capture(SPAN port) also showing old IP in packet header irrespective of radius source interface I use in switch. Debug (radius/aaa) output in switch showing the correct interface addres whcih I use in 'ip radius source-interface'.
Unfortunatly I am unable to restart switch as it is core device in a critical place. It looks like a stange IOS issue. Did any one faced this kind of issues? Please advise how to resolve without restart. Don't know why the switch is always using its old IP to frame radius packet.
These have been virified. I tried difference source interfaces and even changed MAC addresses of SVIs. I am sniffing interface of ISE appliance to capture radius packets. I wondering how C6509E switch can frame a IP packet with source address not belonging to it. MAC address belongs to the switch but source IP address not belonging to the switch(Its old IP address).
What version of code are you running? Also when issue a "debug radius authentication" do you see any errors when pulling the new ip address? Also if you are using radius server groups did you change the source interface under the group configuration also?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :