Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Radius authentication with ISE - wrong IP address

__Beth__
Level 1
Level 1

‎07-30-2014 09:22 AM - edited ‎03-10-2019 09:54 PM

Hello,

We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.

The radius config on the switch:

aaa new-model
!
!
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated

ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
 address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
 key 7 abcdefg

The log from ISE:

Overview
Event  5405 RADIUS Request dropped 
Username  
Endpoint Id  
Endpoint Profile  
Authorization Profile  
 

Authentication Details
Source Timestamp  2014-07-30 08:48:51.923 
Received Timestamp  2014-07-30 08:48:51.923 
Policy Server  ise
Event  5405 RADIUS Request dropped 
Failure Reason  11007 Could not locate Network Device or AAA Client 
Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
Username  
User Type  
Endpoint Id  
Endpoint Profile  
IP Address  
Identity Store  
Identity Group  
Audit Session Id  
Authentication Method  
Authentication Protocol  
Service Type  
Network Device  
Device Type  
Location  
NAS IP Address  10.xxx.aaa.243 
NAS Port Id  tty2 
NAS Port Type  Virtual 
Authorization Profile  
Posture Status  
Security Group  
Response Time  
 

Other Attributes
ConfigVersionId  107 
Device Port  1645 
DestinationPort  1812 
Protocol  Radius 
NAS-Port  2 
AcsSessionID  ise1/186896437/1172639 
Device IP Address  10.xxx.aaa.243 
CiscoAVPair  
 

   Steps
  11001  Received RADIUS Access-Request 
  11017  RADIUS created a new session 
  11007  Could not locate Network Device or AAA Client 
  5405  
 

As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.

Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

 

 

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic