collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE not responding to Radius request  (Read 22066 times)

rthurber

  • Guest
ISE not responding to Radius request
« on: October 01, 2013, 01:24:29 PM »
I'm looking for tips or suggestions on how to troubleshoot this issue.

I'm using ISE (VM version 1.2.0.899) for Radius (via local and AD) to authenticate/authorize users in AnyConnect on a ASA (8.4(6)).

Two times already, the system will work fine, then all of the sudden will stop answering Radius request. When I run a packet capture, I see Radius from the ASA, but ISE is not responding. I'm pretty new to ISE, and what I'm seeing is there is very little direction on how to validate that ISE Radius is working. Obviously I ran a TCPdump.

Here are some of the other things I checked. Can anyone recommend any other troubleshooting steps, particularly for Radius.

Here is an error from mnt-report.log:

2013-09-30 21:51:13,703 INFO   [admin-http-pool24][] mnt.report.ui.services.ReportHelper- Report: adminauth-services-status-radius-errors.xml1380577868774, Parameters from UI:

The Home page has two distinct indicators. One, the ISE status is grey. And the Health Status is unavailable.

NTP was out of sync but I have fixed that issue, to no avail.

And finally, I've simplified the authentication policy to permit local, to rule out AD.


Cisco Identity Services Engine
---------------------------------------------
Version      : 1.2.0.899
Build Date   : Wed Jul 24 07:37:31 2013
Install Date : Thu Sep  5 16:29:28 2013     

Cisco Identity Services Engine Patch
---------------------------------------------
Version      : 1
Install Date : Tue Oct 01 18:36:55 2013

Cisco Identity Services Engine Patch
---------------------------------------------
Version      : 2
Install Date : Tue Oct 01 18:57:15 2013

ise1/admin# show application status ise

ISE Database listener is running, PID: 3952
ISE Database is running, number of processes: 42
ISE Application Server is running, PID: 6239
ISE Profiler DB is running, PID: 5118
ISE M&T Session Database is running, PID: 4995
ISE M&T Log Collector is running, PID: 6321
ISE M&T Log Processor is running, PID: 6418

« Last Edit: October 01, 2013, 01:26:41 PM by rthurber »

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: ISE not responding to Radius request
« Reply #1 on: October 02, 2013, 04:25:23 AM »
NTP is so pivotal to all ISE deployment. You may need to ensure the two devices ASA and ISE have common NTP server for time synchronization you can use Window 2008 R2 as NTP for each of deployment and testing.

Basically your issues could not be unconnected to NTP issues.

Regards,
Technology makes life easy but I hope the same technology will not send man back to stone age!

rthurber

  • Guest
Re: ISE not responding to Radius request
« Reply #2 on: October 02, 2013, 06:48:52 AM »
Thanks adecisco! I'll dig deeper on the NTP setup.

I have been see NTP sync errors, but at the moment they are synchronized, but still do not authenticate.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISE not responding to Radius request
« Reply #3 on: October 02, 2013, 06:07:05 PM »
Where did you run the packet capture? If it is at the switch port ISE server is connected to and you see a packet leaving the port to ISE but there is no reply coming back, most likely it is a key mismatch so verify the RADIUS key on both sides, although I would think ISE would still log the failure in such case. 
ISE status being grey is certainly not a good sign. Usually it is only grey when it first starts up and will turn green.
If you check everything, the next step would be to contact TAC. They might be able to look deeper into this.

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: ISE not responding to Radius request
« Reply #4 on: October 03, 2013, 01:41:39 AM »
Do post your topology as well to give us view of your setup.
Technology makes life easy but I hope the same technology will not send man back to stone age!

 

Related Topics

  Subject / Started by Replies Last post
3 Replies
17355 Views
Last post October 29, 2013, 12:29:44 AM
by MC
5 Replies
22164 Views
Last post April 29, 2014, 03:44:26 PM
by bhatsy
1 Replies
12905 Views
Last post October 19, 2014, 10:01:14 PM
by MC
5 Replies
37656 Views
Last post February 09, 2015, 08:16:20 PM
by MC
0 Replies
22011 Views
Last post May 29, 2016, 07:30:47 PM
by micruzz82

SimplePortal 2.3.7 © 2008-2024, SimplePortal