Guest

Preview Tool

Cisco Bug: CSCvs84000 - ISE Evaluate Configuration Validator incorrect AAA and RADIUS diagnosis

Last Modified

Apr 06, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.4(0.357) 2.6(0.156) 2.7(0.356)

Description (partial)

Symptom:
ISE tool located in Operations->Troubleshoot->Diagnostic Tools->General Tool:
Evaluate Configuration Validator 
Shows incorrect AAA and RADIUS diagnosis

------------------------------------------------------------------------------------------------------------------------------------------

1- Under AAA Configuration (Global) there are these errors which are incorrectly flagged:

a) Looks for radius port configuration under the AAA group:
aaa group server radius
 [Missing] 	[Mandatory] 	   server auth-port 1812 acct-port 1813

This isn't configurable if you are configuring the server by name:
CORE-3560-CG(config)#aaa group server radius Rcrt_Group
CORE-3560-CG(config-sg-radius)#server name ise2-4test ?
  <cr>

This is only valid if doing the IP or Hostname:
CORE-3560-CG(config-sg-radius)#server 10.10.10.1 auth-port 1812 acct-port 1818


b) Incorrectly flags this config:
[Missing] 	[Mandatory] 	aaa authentication dot1x default group radius
[Missing] 	[Mandatory] 	aaa authorization network default group radius
[Missing] 	[Mandatory] 	aaa accounting dot1x default start-stop group radius

The switch has radius groups defined with different name, validator should account for this.

------------------------------------------------------------------------------------------------------------------------------------------

2- Under RADIUS Configuration (Global) there are these errors which are incorrectly flagged:

a) Missing command that uses a different format:
[Missing] 	[Mandatory] 	radius-server host auth-port 1812 acct-port 1813 key

The new method of configuring RADIUS is via a "NAME". For example:
radius server rcrt115
 address ipv4 10.10.10.1 auth-port 1812 acct-port 1813
 key cisco

b) Missing commands that are hidden and configured by default:
[Missing] 	[Mandatory] 	radius-server vsa send accounting
[Missing] 	[Mandatory] 	radius-server vsa send authentication

Conditions:
Using Evaluate Configuration Validator in ISE to verify IOS AAA config.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.