Radsec linked to Cisco ISE

Solved
DevOps_RC
Getting noticed

Radsec linked to Cisco ISE

Good Morning, Just wondering if anyone has managed to setup radsec between Meraki APs and Cisco ISE. I'm certain I've setup both environments correctly, but authentication (pass or fail) isn't showing with the ISE logs, so suspect it's an issue with the radsec initial connection. When importing the Meraki certificate into ISE, which service should this trusted certificate be used for? (See below)

DevOps_RC_0-1728378852862.png

 

Apart from that, the certificate I have imported into the Meraki dashboard is the Root certificate of the chain that the ISE certificate uses for radsec: ISE Cert>CA Issuing Server Certificate>CA Root Server Certificate. I tried to import the issuing CA certificate (Middle of chain) into Meraki, but it complained that it wasn't a root Certificate, so assume it just wants the root and no other parts of the chain.

ISE Network device object is setup to use DTLS on 2083 using it's fixed password radius/dtls

Radius setting within Meraki access control is setup to use radsec with that password on port 2083

No acls or firewalls blocking access between APs. Works perfectly well without radsec, but as soon as the config is changed to use radsec it doesn't work.

Any thoughts?

Logs in the Meraki AP when trying to authenticate via radsec:

DevOps_RC_0-1728380755410.png

 

 

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

To my knowledge, this isn't supposed to work as RADsec is different from RADIUS over DTLS. Meraki implemented the first, Cisco ISE only the second, and they are not compatible.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

8 Replies 8
cmr
Kind of a big deal
Kind of a big deal

@DevOps_RC I would have thought it is the bottom one as the Meraki APs should count as Cisco services, but I am not 100% certain. 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
KarstenI
Kind of a big deal
Kind of a big deal

To my knowledge, this isn't supposed to work as RADsec is different from RADIUS over DTLS. Meraki implemented the first, Cisco ISE only the second, and they are not compatible.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DevOps_RC
Getting noticed

Thanks for the information. I appreciate that there are two versions of Rasec, radius over TLS and radius over DTLS. I thought your suggestion couldn't possibly be right, I mean why would Cisco take two different approaches in securing Radius....but I tip my hat to you. All the documentation I can find (https://documentation.meraki.com/MR/Encryption_and_Authentication/MR_RADSec) states that Meraki Radsec uses TLS (Only tcp connections can be seen in the packet captures to prove it), whereas and I'm struggling to find an official Cisco ISE document, I did find this article (https://www.wiresandwi.fi/blog/cisco-radsec-part-1-radius-tls-dtls-overview) and it states 'Throughout this series, we will use RADIUS over DTLS for our RadSec implementation, since this is the only mode available for Cisco ISE.'

Oh dear......Anyone from Cisco want to jump in and say, 'Don't worry, upgrade to the latest version of ISE and it will support Radius over TLS'..or someone from Meraki instead want to say 'No worries, MR3X supports Radius over DTLS'??? Please.....

KarstenI
Kind of a big deal
Kind of a big deal

We recently had a discussion where someone thought of putting a FreeRADIUS in front of the ISE as a RADsec Proxy to overcome the limitations. But no, I think these Cisco components really should have common features for securing RADIUS.

 

Another option, that won't work in all cases, is sending RADIUS through an IPsec VPN. The ISE can terminate IPsec, or a VPN device in the same data center can be used for this. But it won't help for our switches and APs where we would also need an additional VPN-device per location.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Ryan_Miles
Meraki Employee
Meraki Employee

Have you tested with the current stable 30.7? Same result?

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
DevOps_RC
Getting noticed

Apologies for the delay in responding. I'm just going to upgrade my test lab to that version now, and I'll provide an update hopefully later, if not Monday.

DevOps_RC
Getting noticed

@Ryan_Miles , Don't suppose MR30.7 include radius over DTLS support? Can you confirm that MR APs only support Radius over TLS as @KarstenI has suggested.

Ryan_Miles
Meraki Employee
Meraki Employee

According to the doc Meraki APs do appear to use TLS for RADSec.

 

And yes it appears ISE only support RADIUS over DTLS today and not TLS RADSec. Various docs don't seem to be all that clear on the topic.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels