ISE node forwards authen/author requests to the other node

Gioacchino · ‎05-03-2024

In a setup of two nodes, I pointed our WLC to just to the ISE2 node.

Still I see in the RADIUS live logs of ISE1 (!) some processed requests, with Access-Accept/Access-Reject based on conditions.

Expanding one of the logs, I eventually I realized that the NAS (or NAD) was the ISE2, i.e. the request was forwarded from ISE2 to ISE1.

I know that ISE2 might be configured as a proxy, based on (https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html) but ISE1 is not listed among the EXTERNAL RADIUS servers.

I also tried to decrypt the policy sets on ISE2 to see which policy set, but I was not successful.

Is there a sort of tracker that based on conditions will tell me which policy set would be matched and what would bwe the result?

On the WLC, I also tried to use the "test aaa..." but after having configured the attrlist and defined some other settingsm I got on the CLI
...
TAAA CLIENT:AUTHENTICATION REQUEST INITIATED
...
and nothing else.

How can I figure out which policy set triggers that redirection from ISE2 to ISE1? Is there any tool like "policy set expander" that easily lists all the conditions and results in a plain diagram that I can analyse, instead of moving forth and back among the several tags on the ISE dashboard?

Gio

Damien Miller · ‎05-03-2024

ISE nodes do not directly forward RADIUS requests to other nodes in the deployment. The only way an ISE node shows as the processing node in the live logs is if the request was sent to that node.

The caveat to this is if you're doing guest access to endpoints and the redirect request you're sending back is to a shared URL instead of a specific PSN.

Gioacchino · ‎05-06-2024

Thanks for the hint @Damien Miller ,

indeed, by inspecting the XML file for the policy sets, I have noticed some inconsistencies.
I'm digging further.

Gio

Gioacchino · ‎05-06-2024

[EDITED - please KEEP OFF THE MAIN DISCUSSION]

I noticed that there was a misconfiguration in the policy set related to CWA. ISE was instructued to return an URL pointing just to one of the ISE nodes instead of an URL that would balance the load across all nodes (through DNS round-robin): the result used a network profile that pointed right to the ISE in question. After changing the profile to a load-balanced FQDN that, for the moment, has an A record to just the live ISE, I still see logs but less frequent. I guess I have to wait a little bit of time.

Unfortunately, this catch has nothing to do with the problem described in the subject

Gio

Gioacchino · ‎05-07-2024

Hi @Damien Miller ,

the weird setting I found on ISE2 was that a the end of the Authorization process, the guest users received in the Access-Permit the AV pair with the URL of ISE1, always.

But going back to the live logs, in the ISE1 RADIUS live logs, I see as NAS the other ISE2. Moreover, I see that the entire network (small /28) is allowed in the Network Devices (i.e. the RADIUS client), meaning the Cisco ISE can accept Access-Requests from that network.

Yet, I don't see any configuration related to "External RADIUS Servers" AND "RADIUS Server Sequences".

I'm truly puzzled and I wonder:

1) about which policy set triggers the forward to the other node;

2) about the fact that ISE2 forwards some requests to ISE1, if ISE1 is NOT among the external RADIUS servers.

Gio

Gioacchino · ‎05-08-2024

@Damien Miller, I took captures and I can clearly see that ISE2 sends Accept-Requests to the ISE1, then it gets back Access-Accept. I'm puzzled, working with the partner on this. I hit the rule where the conditions is Guest_Flow. The definition of Guest_Flow in the Library (Conditions Studio) is "Network Access-Use Case EQUALS Guest Flow". I see that Guest Flow is a special term in ISE, but really I cannot go deeper in understanding what ISE does when hitting that "Guest Flow" condition.

How may I proceed further?

Gio