Lab Minutes Forum
Technical Discussion => Security => Topic started by: rthurber on October 01, 2013, 01:24:29 PM
-
I'm looking for tips or suggestions on how to troubleshoot this issue.
I'm using ISE (VM version 1.2.0.899) for Radius (via local and AD) to authenticate/authorize users in AnyConnect on a ASA (8.4(6)).
Two times already, the system will work fine, then all of the sudden will stop answering Radius request. When I run a packet capture, I see Radius from the ASA, but ISE is not responding. I'm pretty new to ISE, and what I'm seeing is there is very little direction on how to validate that ISE Radius is working. Obviously I ran a TCPdump.
Here are some of the other things I checked. Can anyone recommend any other troubleshooting steps, particularly for Radius.
Here is an error from mnt-report.log:
2013-09-30 21:51:13,703 INFO [admin-http-pool24][] mnt.report.ui.services.ReportHelper- Report: adminauth-services-status-radius-errors.xml1380577868774, Parameters from UI:
The Home page has two distinct indicators. One, the ISE status is grey. And the Health Status is unavailable.
NTP was out of sync but I have fixed that issue, to no avail.
And finally, I've simplified the authentication policy to permit local, to rule out AD.
Cisco Identity Services Engine
---------------------------------------------
Version : 1.2.0.899
Build Date : Wed Jul 24 07:37:31 2013
Install Date : Thu Sep 5 16:29:28 2013
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Tue Oct 01 18:36:55 2013
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 2
Install Date : Tue Oct 01 18:57:15 2013
ise1/admin# show application status ise
ISE Database listener is running, PID: 3952
ISE Database is running, number of processes: 42
ISE Application Server is running, PID: 6239
ISE Profiler DB is running, PID: 5118
ISE M&T Session Database is running, PID: 4995
ISE M&T Log Collector is running, PID: 6321
ISE M&T Log Processor is running, PID: 6418
-
NTP is so pivotal to all ISE deployment. You may need to ensure the two devices ASA and ISE have common NTP server for time synchronization you can use Window 2008 R2 as NTP for each of deployment and testing.
Basically your issues could not be unconnected to NTP issues.
Regards,
-
Thanks adecisco! I'll dig deeper on the NTP setup.
I have been see NTP sync errors, but at the moment they are synchronized, but still do not authenticate.
-
Where did you run the packet capture? If it is at the switch port ISE server is connected to and you see a packet leaving the port to ISE but there is no reply coming back, most likely it is a key mismatch so verify the RADIUS key on both sides, although I would think ISE would still log the failure in such case.
ISE status being grey is certainly not a good sign. Usually it is only grey when it first starts up and will turn green.
If you check everything, the next step would be to contact TAC. They might be able to look deeper into this.
-
Do post your topology as well to give us view of your setup.