Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
0
Helpful
4
Replies

radius response ise

Go to solution
edondurguti
Level 4
Level 4

‎08-24-2012 08:59 AM - edited ‎03-10-2019 07:27 PM

Any idea why I get this even though clients are authenticated?

radius.png

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-24-2012 11:58 AM

Edon,

I usually see this when i am testing, if I start to do dot1x and then i unplug the port, the peap session is still active in the ISE database and then expires after 120 seconds. Usually if users are roaming even with mobility groups set, if they happen to roam from one controller to the other, you could expect this behavior if the client happens to be associating at that time.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-24-2012 12:27 PM

Keep in mind that the radius server selection is done at the NAS (WLC and switches), once they mark a radius server dead they will keep forwarding traffic until that radius server goes off line and then they flip back over. That is to be expected.

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-24-2012 11:58 AM

Edon,

I usually see this when i am testing, if I start to do dot1x and then i unplug the port, the peap session is still active in the ISE database and then expires after 120 seconds. Usually if users are roaming even with mobility groups set, if they happen to roam from one controller to the other, you could expect this behavior if the client happens to be associating at that time.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-24-2012 12:07 PM

Yeah I think it got intense when I rebooted the primary ISE for that CSR issue that I had where it wouldn't generate a signing request, then everybody got policed from secondary ISE and the error popped up.

Interesting though when the primary ise came up, all the new authentication were still pointing to the secondary one all untill i had to reboot the secondary aswell, it's like the PRIMARY ISE didn't kick in when it came online.

Thank you for your help.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-24-2012 12:27 PM

Keep in mind that the radius server selection is done at the NAS (WLC and switches), once they mark a radius server dead they will keep forwarding traffic until that radius server goes off line and then they flip back over. That is to be expected.

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎08-24-2012 01:25 PM

Hi,

here is an article that may help you understand the flow of the radius server tracking verify these settings on your wlc.

https://supportforums.cisco.com/message/3716828#3716828

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents