Genie's Tech Blog

Where knowledge has no dimensions

Authenticating Router With ISE As RADIUS

Hello Friends,

Today, I am going to discuss about authenticating a router with a ISE (Identity Services Engine) server. ISE is a security policy management and control platform. It automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. As a quick feature update, the latest ISE 1.2 has the following capabilities:

1. Integrating with most of the leading Mobile Device Management (MDM) and Mobile Application Management (MAM) technologies.

2. Supports 250,000 active and 1,000,000 registered devices

3. Zero-day profile feed service for new devices

4. Integrates with leading Security Information and Event Management (SIEM) and threat defense technologies to improve cyber security

Before we proceed with our example, We will try to understand what RADIUS is. The Remote Authentication Dial-In User Service (RADIUS) protocol was developed by Livingston Enterprises, Inc., as an access server authentication and accounting protocol. Radius uses UDP for communication between itself and the Network Access Server. Radius server supports different methods for authenticating a user. A user login consists of a query (Access-Request) from the NAS to the RADIUS server and a corresponding response (Access-Accept or Access-Reject) from the server. The Access-Request packet contains the username, encrypted password, NAS IP address, and port. The early deployment of radius was done using UDP port number 1645, which conflicts with the "datametrics" service. Because of this conflict, RFC 2865 officially assigned port number 1812 for radius authentication. So, when we are implementing Radius based authentication, please do not forget to permit udp port number 1812 on the firewall if there is one in the path else the authentication requests won't go through.

Lets now take a look at a simple example in which we shall try to authenticate a router in with the Radius server which is the ISE in our case.


The Gig1 (e1) interface of the ASA is configured as the Inside interface and the Gig2 (e2) interface is configured as the outside interface. Lets have a look at the complete config of all the devices necessary for connectivity.

Config on R4:
interface FastEthernet1/0
 switchport access vlan 150
interface FastEthernet1/1
 switchport access vlan 4
interface Vlan4
 ip address
interface Vlan150
 ip address
ip route

Config on ASA:
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet2
 nameif out1
 security-level 0
 ip address
access-list OUT extended permit icmp any any
access-list OUT extended permit udp any any eq domain
access-list OUT extended permit tcp any any eq telnet
access-list OUT extended permit tcp any host eq www
access-list OUT extended permit tcp any host eq ldap
access-group OUT in interface out1
route out1 1
route inside 1

Config on R5:
interface FastEthernet0/0
 ip address
 speed auto
 duplex auto
interface FastEthernet0/1
 ip address
 speed auto
 duplex auto
ip route

From the above config, we see that on the ASA, we have permitted icmp, udp traffic for dns server, telnet traffic, LDAP requests to the Domain controller which is hosted on and also the web request on the same server. Lets now try to confirm the connectivity:

On R5:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/55/72 ms

So, the above ping confirms the connectivity to the Domain Controller. Lets now take a look at the ISE configuration.

Lets now check the connectivity from the PC in VMNET2 to ISE in VMNET1.


So, now we have the connectivity from VMNET2 to VMNET1. Remember that we can also check the connectivity between the R5 and the ISE since the test-pc is not playing any role in this section.

Lets now try to configure the router R5 for authenticating it with the ISE. First we shall configure the ISE. We need to add a network device which is the router R5. So, we got to Administration -> Network Resources -> Network Devices and on that page, we click on Add.

As you see above, We have added the name of the device as "R5" and then entered the ip which is going to be used for authentication which is the interface towards the ASA FW in this case. Then we select the option of "Authentication Settings" and there we put the shared secret password as "cisco123". Then we click on "Submit".

We now create a user group under the Identity Management section. We go to Administration -> Identity Management -> Groups -> User Identity Groups and there we click on Add.

Now we switch to the Identities Tab under the Identity Management section and under the User Identities, we create a new user by clicking on Add button. There we add the username and password and under the User Groups, we select the group that we created above and click Submit.

We have now created the user named "test". Lets now configure the aaa and radius on the router R5:

aaa new-model
aaa authentication login default group radius local
username cisco privilege 15 password 0 cisco
aaa server radius dynamic-author
 client server-key cisco123
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host key cisco123
radius-server retransmit 10
radius-server vsa send accounting
radius-server vsa send authentication

From the above radius config, we see that we have set the aaa authentication for radius and local. This is in case, if we are unable to reach to the radius server for some reason / network issues, we can use the local login for authenticating on the router.

Till now we have not configured the ASA for allowing radius traffic. Now if we try to connect to the router from the test-pc, we shall notice that the authentication is not succeeding but we are still able to login using the local username and password.


On the ASA we shall see the default 1645 port getting blocked:

%ASA-4-106023: Deny udp src out1: dst inside: by access-group "OUT" [0x0, 0x0]

%ASA-4-106023: Deny udp src out1: dst inside: by access-group "OUT" [0x0, 0x0]

Since in the above config, we have not put which port to be used, its using the old default port which is 1645. We need to specifically mention for the udp port 1812 for authentication.

radius-server host auth-port 1812 acct-port 1813

Now, we shall permit the radius authentication port 1812 and accounting port 1813.

ciscoasa(config)# access-list OUT per udp any host range 1812 1813

The above config will permit the udp traffic for radius authentication. Now, if we try to test radius authentication using radius, we should see a success.

Output on R5:
R5#test aaa group radius test Admin@123 new-code
User successfully authenticated


username             0   "test"
Termination-Action   0   True

We can now try to telnet onto the router from the test-pc and see the how the authentication works. 

We now see the success. We can also integrate the Active Directory for authenticating users. For this we have to add an external identity source to the ISE. For this, we have added our domain, in the ISE. 

Now, we go to Policy -> Authentication and there we change the Identity Source to from Internal users.

We have our AD configured with the user administrator. Lets try to authenticate the router with user administrator.

Below is the snapshot of the ISE Live authentications.

Hope this post was helpful.

Please feel free to reach out to me in case of questions.



Comments are closed