Authentication RADIUS with ISE - a wrong IP address
Hello
We use ISE for radius authentication. I have setup a new Cisco switch stack to one of our branches and set up the device network in ISE. Unfortunately, in trying to authenticate, ISE logs show a lack of "Impossible to locate device network or Client AAA" the reason for this failure is that the log shows that it comes from a bad IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show that it is 10.xxx.aaa.243. I removed and added the configs of RADIUS on ISE and the switch, but it is always so que.243. There is another switch battery location (same model, IOS etc), which works correctly.
The config of RADIUS on the switch:
AAA new-model
!
!
AAA authentication login default local
AAA authentication login Comm group local RADIUS
the AAA authentication enable default
RADIUS group AAA authorization exec default authenticated if
radius of the IP source-interface Vlanyy
10.xxx.yyy.zzz RADIUS server
10.xxx.yyy.zzz auth-port 1812 acct-port 1813 ipv4 address
abcdefg 7 key
The journal of ISE:
Overview
5405 RAY lost event
Username
ID of the endpoint
Profile of endpoint
The authorization profile
Details of authentication
Source Timestamp 2014-07-30 08:48:51.923
Receipt 08:48:51.923 Timestamp 2014-07-30
Policy Server ise
5405 RAY lost event
11007 failure reason could not locate device network or Client AAA
Resolution check if the device network or AAA client is configured in: Administration > network resources > network devices
Root cause could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
Type of user
ID of the endpoint
Profile of endpoint
IP address
Identity store
Membership group
ID of Session verification
Authentication method
Authentication Protocol
Type of service
Network device
Type of device
Location
10.xxx.AAA.243 address IP NAS
ID of Port NAS tty2
Virtual NAS Port Type
The authorization profile
Status of the posture
Security group
Response time
Other attributes
ConfigVersionId 107
Device port 1645
DestinationPort 1812
Radius protocol
NAS-Port 2
AcsSessionID ise1/186896437/1172639
IP address of the device 10.xxx.aaa.243
CiscoAVPair
Measures
Request for access received RADIUS 11001
11017 RADIUS creates a new session
11007 could locate no device network or Client AAA
5405
As a test, I set up a device that uses the adresse.243. While ISE claims that it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to solve this problem would be appreciated. Please let me know if you need more information.
Beth
Remove your (RADIUS-server host 10.x.x.x... ect) tele-health and try this command and see if the problem goes away. The new section is the non-standard expression allows to see if that helps.
RADIUS-server host non-standard key of acct-port of the auth-port 1645 10.xxx.xxx.xxx 1646 *.
Tags: Cisco Security
Similar Questions
-
some computers are not authenticated successfully with ISE and join comments vlan
Hello
We have deployed ISE in a company and set the workstations for authentication of the computer. When jobs are authentication, they are placed in the VLAN Data (5), if they fail, then they must be placed in the VLAN (50). WiredAutoConfig service as supplicant is set with gpo to all the workstations have the same settings.
Certificate of the ISE is signed by our internal CA and workstations have also imported CA in their trusted CA list.
The problem is that few jobs are placed in the VLAN. Previously on these workstations, we got a pop-up as below. When you click on 'connect' work stations have been placed properly in the data VLAN (5). We do not get this security alert more on these machines and they just join them VLAN that is don't want we want.
However, most of the workstations is authenticated successfully.
switchports configuration:
switchport access vlan 5
switchport mode access
switchport voice vlan 6
authentication event fail following action method
action of death event authentication server allow vlan 5
action of death event authentication server allow voice
no response from the authentication event action allow vlan 50
living action of the server reset the authentication event
multi-domain of host-mode authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
MLS qos trust dscp
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardJournal of ISE authentication;
Everyone is in a similar situation?
I guess that the machines in the domain have the root CA certificate checked under the 'Protected EAP Properties' window?
-
Custom authentication fails with PLS-00306: wrong number or types of argume
Hello
I wrote a custom authentication scheme. I have a function that returns a BOOLEAN. Now, when I tried to test it, he throwed the following error.
< pre >
ORA-06550: line 2, column 8: PLS-00306: wrong number or types of arguments in the call to 'AUTH_ON_MY_USERS' ORA-06550: line 2, column 1: PL/SQL: statement ignored
ERR-10460 error cannot perform the function of verification of the authentication credentials.
Ok
< / pre >
The function is
< pre >
create or replace function auth_on_my_users (p_username_in in varchar2
p_password_in in varchar2)
return a Boolean value
is
Start
Returns true;
end;
< / pre >
I have an Oracle 10 g XE on windows. Apex 3.2.1. When I tried the same thing in apex.oracle.com, it worked. Is there something to do with XE and 3.2.1?
Any idea? Thanks in advance.
Concerning
Guru
Published by: guru Perrin on November 23, 2009 19:44 - TypoHello
Try
create or replace function auth_on_my_users( p_username in varchar2, p_password in varchar2) return boolean is begin return true; end;
The engine requires Express provides this function to have the signature (p_username in varchar2, p_password in varchar2) return a Boolean value.
>BR, Jari
-
Impossible to use ad groups for authentication RADIUS on ISE 2.0
I tried following the guide on how to configure ISE 2.0 for peripheral administration GANYMEDE and when I get to the ensembles 'political device admin' the only thing that I can use identiity default user groups there. It won't let me choose an ad group. Even if I create a group of identity I'm unable to map a group of ads to it. Am I missing something here?
Make sure that you use the box of 3 (left to right) when your state of construction based on ad groups. The 2nd box only searches the internal identity store. Then you will need to click on the 3rd box > create new Condition > Select attribute > AD1 (or whatever you named your connection AD) > external groups
I hope this helps!
Thank you for evaluating useful messages!
-
ISE device administration authentication Radius possible?
Hello
does anyone know if the edge RADIUS authentication and authorization administration is possible with the actual release of ISE? I know that GANYMEDE will be available in future releases.
Concerning
Joerg
Yes it is possible according to the "Ask the experts" forum
--------------------------
https://supportforums.Cisco.com/thread/2172532
"If you use RADIUS for the administration of the system, ISE can be used using authorization policy elements that return Cisco av-pairs." But personally, I think that ACS is currently superior to ISE for this task. »
--------------------------
In any case, I'm about to test "device admin" and "network access" at the same time in the same switch with Radius and ISE.
Please rate if this can help
-
Authentication Radius Cisco with Windows NAP with encrypted authentication
I need authentication radius configuration for Cisco IOS devices for device management. My radius server is on Windows 2008 R2.
Can I implement this with encrypted authentication? In the attached diagram, can what protocol I use for encrypted authentication?
According to some sites, we need activate authentication in clear text. All those put in place secure as MSCHAP authentication?
Hello
You activate the text authentication (PAP) clear. Don't forget Ray sends the username in clear but encrypts the password. You can confirm this take a wireshark capture. You will also get the RADIUS encryption using a key to Ray long and complex.
If you want to encrypt the user name and password, then you would use GANYMEDE
Thank you
John
-
ASA 5525 X Anyconnect configuration with ISE 2.1
I have a new deployment of ISE 2.1 which is used only for the management of the devices at the moment. The intention is that it will serve as radius for authentication of our VPN server.
5525 x is a brand new ASA runs the 9.4 code. I want to configure VPN on the SAA strategy so that each user is assigned a DAP based on their Department.
I already have the designation of the Department for user accounts assigned in AD through a group membership. I don't know how to get ISE to belonging to a group at the ASA so that she can associate the user based on this correct in RAP group membership.
I succumbed to determine how this is supposed to work. Thanks for any help.
Normally we authenticate and authorize users and then push DACL or allow connection from ISE etc. of such conditions profiles that check results Posture or parts constituting the identity of the user (such as AD or another external identity store belonging to a group).
There are a couple of good guides to do so, including detailed examples:
https://communities.Cisco.com/docs/doc-68158
http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...
http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...
While they focus on the case of use of Posture, they can be adapted to add other uses. For example, ISE registration condition may be the result of not only a Posture check also membership in a given group or another if you make it a State.
I do not think we can specify to the ASA to call a given font of DAP like Hostscan module cannot be used at the same time that the module ISE Posture. However, you should be able to accomplish just about everything you used to depend on the DAP with ISE Posture Module AnyConnect (assuming you have AnyConnect 4.x Apex licenses).
If you want to stick with the ASA DAP model, you can forgo using policies and module ISE Posture and instead create an authorization profile (result) to send the ASA, a pair of RAY - V based on a correspondence (in the authorization of the ISE policy) with the ad group. He is a "Cisco-VPN-3000" A - V called "PIX7x-members-from' that can be used in ASA dynamic access policies. You can see (and all other pairs A - v supported buy ISE) here:
-
Guest access with ISE and WLC LWA
Hi guys,.
Our company try to implement access as guest with dan ISE WLC with the local Web authentication method. But there is problem that comes with the certificate. This is the scenario:
1. the clients are trying to connect wifi with guest SSID
2. once it connects, you can open the browser and try to open a Web page (example: cisco.com)
3, because guests didn't connect, so this link redirect to "ISE Guest Login Page" (become): url
)
4. If there is no Login to ISE not installed comments Page, no reliable connection of message message, but it will be fine is they "Add Exception and install the certificate".
5. once the Guest Login Page will appear and you can enter their username and password.
6 connection success and they will be redirected to www.cisco.com and there pop-up 1.1.1.1 (IP of the Virtual Interface WLC) with the logout button.
The problem occur in scenario 6, after the success of the opening session, the Web page with the address and the error of certificate ISE IP to 1.1.1.1 is appear.
I know that it happened when you can has no Page of Login of WLC certificate...
My Question is, is there a way of tunneling WLC certificate to EHT? Or what we can do for ISE validate certificate WLC, invited didn't need to install the certificate WLC / root certificate before you connect to the Wifi?
THX 4 your answer and sorry for my bad English...
Do not mix WLC with ISE comments Portal local Web authentication. Choose one or the other. I suggest the portal + WLC CWA.
-
[WRVS4400N] RADIUS with VPN?
Hello
I have an Active Directory with RADIUS server and I intend to buy a wireless router with VPN functionality,
I took a glance at the WRVS4400N documentation and I saw the use of RADIUS with 802. 1 X and wireless, but nothing about its use with VPN...
It is therefore possible to use RADIUS for authentication on the VPN?
Thank you
Hi Mathieu chick and welcome in the community at the homepage of Cisco!
The WRVS440N is managed by the Cisco Small Business Support Community.
For discussions about this product, go here.
-
When I try one of the solutions in your forum, I typed the wrong ip address, I tried default resets this doent seem to work on my hp4780 cannot return to the url for built-in web server, my router do market seem not to work with printer, it is a cisco n900. the printer shows offline
Reset the printer back to factory default and reinstall completely from scratch.
-
Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.htmlHTH
Kind regards
JK
The rate of useful messages-
-
Cannot open the URL of the CWA with ISE
Hi people,
I have a problem when you perform the CWA with ISE so that I can give you access to the network for the guests.
Everything is fine except the URL of the CWA: when guests, open Explorer and enter a domain name after you have connected the SSID, they will be redirected to the URL like 'https://hostname.demo.com:8443 / guestportal /... ". " which begins with the hostname of the ISE and the domain name of the ISE, but for us, we have not any announcement and the LAN DNS for our network so that we cannot translate the hostname.demo.com in the IP address of the ISE, so can I just change the URL type of intellectual property like"https://10.10.10.70:8443 / guestportal?
Screenshot of an attached screenshot (sorry).
Basically it's in the authorization policy, allows you to use a static DNS or IP address
-
URL is not change after successful authenticate with ISE 1.1.1
Hello
I have install Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)
Everything is complete, unless the redirect URL. My customer comments can join the SSID of comments and also can authenticate to ISE.
But after they success to authenticate with ISE, the URL in the browser does not alter the pre - configure. There still be something like https://ise-ip:8443/guestportal/redir.html . Anyway the content in the browser is replaced by the URL that is configured as http://www.google.com/
How can I do with this cause of situation that everything works well, but only the URL of the browser that is not a change to the sits one.
Thank you
Mathias
Hello
See if this thread will help, what you can do to work around the problem, is to redirect all authentications to a single Web page.
https://supportforums.Cisco.com/message/3664154#3664154
Thank you
Tarik Admani
* Please note the useful messages *. -
need to know if my order has been placed.
I connect on a wrong email address. but was able to pay for it.
https://forums.Adobe.com/docs/doc-7273 Welcome to the Adobe Community Connections page!
This page is where you can connect with your peers in a virtual coffee international fair for conversations that relate directly to the support and help of the product
[Ask in the correct forum allows... Left forum for forum Cloud connections... MOD]
This is an open forum, not Adobe support... Click below to contact Adobe staff for help
While the forums are open 24/7 you can't contact Adobe support at any time
Chat support: Mon - Fri 05:00-19:00 (US Pacific Time)<=== note="" days="" and="">===>
Don't forget to stay signed with your Adobe ID before accessing the link below
Creative cloud support (all creative cloud customer service problems)
-
I need help to cancel my account creative cloud I wrote the wrong email address when I created it
I need help to cancel my account creative cloud I wrote the wrong email address when I created it. Is there a way I can do?
Hello
Please contact support by calling/chat for cancellation requests and billing queries:
* Be sure to stay connected with your Adobe ID before accessing the link above *.
You can also check the help below document:
https://helpx.Adobe.com/x-productkb/policy-pricing/cancel-membership-subscription.html
Please go through the Adobe - General conditions of subscription as well.
Maybe you are looking for
-
Satellite Z930 - suspend the problem with connected USB hard drive
Hello Owner of a newly acquired Satellite Z930-15 X, I have a few questions/problems: 1) suspends the work of RAM and good hibernation when there is no external hard drive connected. If there is one is connected, the laptop immediately returns back t
-
Qosmio G40 - 10F: how conenct to the wide band of sky LAN
I don't know anything about computers.I buy the G40 - 10F and get sky to wide band and they say that you need a spare ethernet on the computer. All I can find is RJ11 and RJ45 is the ethernet in a differnent name.If I can't do a link to broadband thi
-
where A1 lenses better quality than lenses DSLR today? as they where expensive horendously compared to todays prices? Better to buy a good adapter to use some of my lenses to exoensive with a digital SLR? I understand be without autofocus I have to s
-
M277DW: Photo M277DW paper
I'm looking photo paper for my printer and the printer specification suggests Matt paper 200 g and up to 220 g glossy one. HP store offers 2 different photo for my printer, two A4 size papers, but I need a format 10 x 15 cm too. I found this article
-
Hello, good day. Windos Viata Business operating system Having a problem printing continuously. (1) after 2 or 3 pages, it partially stops the next page (2) then middle and bottom lights starts flashing (3) if it does not continue printing appeard sq