Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2664
Views
6
Helpful
4
Replies

ISE error messages

Go to solution
nimmi.phasil
Level 1
Level 1

‎06-22-2016 04:30 AM

Hi ,

I am authenticating Fortinet with ISE . While ISE successfully authenticates fortinet  ,the authentication reply is not reaching Fortinet firewall.

The firewall can ping ISE.

Following is the tcpdump messages. 210.18.5.70 is the fortinet firewall.

    210.18.5.70.sify.net.blackjack > ISE.radius: RADIUS, length: 101

                Access Request (1), id: 0x5b, Authenticator: 2edd47c7cb141a1488ece685ed655f6e

NAS ID Attribute (32), length: 18, Value: FGT60C3G11032050

Username Attribute (1), length: 10, Value: fortinet

Password Attribute (2), length: 18, Value:

Accounting Session ID Attribute (44), length: 10, Value: 2c4fc294

Connect Info Attribute (77), length: 13, Value: admin-login

Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (12356)

                    Vendor Attribute: 3, Length: 4, Value: root

  1. ISE.radius > 210.18.5.70.sify.net.blackjack: RADIUS, length: 218

                Access Accept (2), id: 0x5b, Authenticator: 205dabbc626b00d9b8d58e3a7a9e5bc5

                  Username Attribute (1), length: 10, Value: fortinet

                  Service Type Attribute (6), length: 6, Value: Login

                  State Attribute (24), length: 67, Value: ReauthSession:ac1f01092H_GB3Ax4qI/2pYtcAtlpw9f1j3REGu8rBwJbaJ_8Xs

                  Class Attribute (25), length: 78, Value: CACS:ac1f01092H_GB3Ax4qI/2pYtcAtlpw9f1j3REGu8rBwJbaJ_8Xs:ISE/253643487/93219

                  Vendor Specific Attribute (26), length: 18, Value: Vendor: Unknown (12356)

                    Vendor Attribute: 1, Length: 10, Value: test-group

                  Vendor Specific Attribute (26), length: 19, Value: Vendor: Unknown (12356)

                    Vendor Attribute: 6, Length: 11, Value: super_admin

09:45:49.178300 IP (tos 0x0, ttl 252, id 1838, offset 0, flags [none], proto ICMP (1), length 56)

    segment-119-227.sify.net > ISE: ICMP host 210.18.5.70.sify.net unreachable - admin prohibited filter, length 36

ISE.radius > 210.18.5.70.sify.net.blackjack: [|radius]



Regards

Nimmi

1 Accepted Solution

Accepted Solutions

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎06-23-2016 12:30 PM

The response from ISE is being blocked by this device: segment-119-227.sify.net.

View solution in original post

4 Replies 4

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-22-2016 08:02 AM

Nimmi,

You said the firewall can ping ISE but the RADIUS response is still failing. This sounds like a firewall configuration problem.

Please see our Cisco ISE Ports Reference for the various ports that must be opened in the ISE architecture for different features/capabilities.

For RADIUS between ISE and your network access devices (assuming you do not change from the default ports) you will need to open:

  • RADIUS Authentication: UDP/1645, 1812
  • RADIUS Accounting: UDP/1646, 1813
  • RADIUS Change of Authorization (CoA) Send: UDP/1700
  • RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799

Note: UDP port 3799 is not configurable.

If you continue to have firewall/connectivity problems, you will need to call the TAC.

Go to solution
nimmi.phasil
Level 1
Level 1
In response to thomas

‎06-22-2016 10:00 PM

Hi Thomas,

The same ISE is doing radius authentication/authorization with other vendors like HP , Cisco .

Also , the authentication is successful in the ISE server. The problem is the response message is not reaching fortinet firewall.

Regards

Nimmi MP

0 Helpful

Go to solution
nimmi.phasil
Level 1
Level 1
In response to nimmi.phasil

‎06-23-2016 02:59 AM

Hi,

This works with a different device. There is something filtering the message from reaching Fortinet.

Thanks for the support.

Regards

Nimmi MP

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎06-23-2016 12:30 PM

The response from ISE is being blocked by this device: segment-119-227.sify.net.

Customers Also Viewed These Support Documents