- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Radsec linked to Cisco ISE
Good Morning, Just wondering if anyone has managed to setup radsec between Meraki APs and Cisco ISE. I'm certain I've setup both environments correctly, but authentication (pass or fail) isn't showing with the ISE logs, so suspect it's an issue with the radsec initial connection. When importing the Meraki certificate into ISE, which service should this trusted certificate be used for? (See below)
Apart from that, the certificate I have imported into the Meraki dashboard is the Root certificate of the chain that the ISE certificate uses for radsec: ISE Cert>CA Issuing Server Certificate>CA Root Server Certificate. I tried to import the issuing CA certificate (Middle of chain) into Meraki, but it complained that it wasn't a root Certificate, so assume it just wants the root and no other parts of the chain.
ISE Network device object is setup to use DTLS on 2083 using it's fixed password radius/dtls
Radius setting within Meraki access control is setup to use radsec with that password on port 2083
No acls or firewalls blocking access between APs. Works perfectly well without radsec, but as soon as the config is changed to use radsec it doesn't work.
Any thoughts?
Logs in the Meraki AP when trying to authenticate via radsec:
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To my knowledge, this isn't supposed to work as RADsec is different from RADIUS over DTLS. Meraki implemented the first, Cisco ISE only the second, and they are not compatible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DevOps_RC I would have thought it is the bottom one as the Meraki APs should count as Cisco services, but I am not 100% certain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To my knowledge, this isn't supposed to work as RADsec is different from RADIUS over DTLS. Meraki implemented the first, Cisco ISE only the second, and they are not compatible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. I appreciate that there are two versions of Rasec, radius over TLS and radius over DTLS. I thought your suggestion couldn't possibly be right, I mean why would Cisco take two different approaches in securing Radius....but I tip my hat to you. All the documentation I can find (https://documentation.meraki.com/MR/Encryption_and_Authentication/MR_RADSec) states that Meraki Radsec uses TLS (Only tcp connections can be seen in the packet captures to prove it), whereas and I'm struggling to find an official Cisco ISE document, I did find this article (https://www.wiresandwi.fi/blog/cisco-radsec-part-1-radius-tls-dtls-overview) and it states 'Throughout this series, we will use RADIUS over DTLS for our RadSec implementation, since this is the only mode available for Cisco ISE.'
Oh dear......Anyone from Cisco want to jump in and say, 'Don't worry, upgrade to the latest version of ISE and it will support Radius over TLS'..or someone from Meraki instead want to say 'No worries, MR3X supports Radius over DTLS'??? Please.....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We recently had a discussion where someone thought of putting a FreeRADIUS in front of the ISE as a RADsec Proxy to overcome the limitations. But no, I think these Cisco components really should have common features for securing RADIUS.
Another option, that won't work in all cases, is sending RADIUS through an IPsec VPN. The ISE can terminate IPsec, or a VPN device in the same data center can be used for this. But it won't help for our switches and APs where we would also need an additional VPN-device per location.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tested with the current stable 30.7? Same result?
If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies for the delay in responding. I'm just going to upgrade my test lab to that version now, and I'll provide an update hopefully later, if not Monday.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Ryan_Miles , Don't suppose MR30.7 include radius over DTLS support? Can you confirm that MR APs only support Radius over TLS as @KarstenI has suggested.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the doc Meraki APs do appear to use TLS for RADSec.
And yes it appears ISE only support RADIUS over DTLS today and not TLS RADSec. Various docs don't seem to be all that clear on the topic.
If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.