topic ISE Trustsec with 6500 in Network Access Control

ISE Trustsec with 6500

Zohaib Hussain — Mon, 11 Mar 2019 03:22:10 GMT

I've ISE v1.1.2.145 and Cat 6500 IOS ADVENTERPRISEK9-M, Version 15.0(1)SY2

I'm trying to add 6500 in the trustsec group with ISE and followed the trustsec 2.1 documentation. After configuring it keeps on giving me error in the ISE logs below with the subject #CTSREQUEST#

11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute

Below are the steps:

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15012 Selected Access Service - NDAC_SGT_Service

11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute

Also after i configure cts credentials and radius-server pac command in 6500, it starts giving me log messages that radius is down and the next moment it comes up again. It is continously doing that.

Thanks in advance for the help.

Regards,

Zohaib

ISE Trustsec with 6500

askhuran — Thu, 02 May 2013 19:28:48 GMT

Hello Zohaib,

You may find the following of help in solving the problem.

Configuring EAP-FAST Settings

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_auth_pol.html#wp1146184

Configuring Security Group Access Settings

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sga_pol.html#wp1102430

Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_net_acc_flows.html#wp1135510

EAP-FAST

http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/prod_qas09186a00802030dc_ps430_Products_Q_and_A_Item.html

ISE Trustsec with 6500

Zohaib Hussain — Sat, 04 May 2013 07:03:17 GMT

I've already opened a TAC case and the engineer said every thing is configured fine. Will send some debugs to them. I'll update here once the case is solved.

Thanks for your help.

Regards,

Zohaib

Hi Zohaib

jsteffensen — Fri, 27 May 2016 13:56:30 GMT

Hi Zohaib

I've been facing the same error-messages and you, and found a pritty good "Step by Step guide" which helped me out:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/116498-configure-cts-00.html

Best Regards

Jarle

Re: ISE Trustsec with 6500

Sdiana — Mon, 07 Jan 2019 05:22:20 GMT

Hi Zohaib,

could you solve this issue? I have the same problem to authenticate 3850 core switches in ISE.

Re: ISE Trustsec with 6500

Damien Miller — Mon, 07 Jan 2019 06:52:32 GMT

Sam,

Are you receiving a cts pac on any switches or are you setting up a new trustsec environment, making this is the first one and it doesn't work? There are a few reasons this log can appear. Some basic things to check when you are having issues with trustsec switches.

The Simple scenarios
1. Missing cts credential ID and password. The credentials don't show up in running config, run "sh cts credentials" will display what was configured. You will not see the password configured, only the ID.
2. Cts device credentials do not match. Similar to scenario 1, the same CTS ID and password has to be configured in for the NAD in ISE and on the NAD itself.
3. Radius pac keys are misconfigured either on the switch or in ISE
4. Dynamic author keys are misconfigured.

More complex scenarios
5. The cts request on a 3850 does not include a calling station id in the radius packets. If you are using load balancers then the CTS provisioning process breaks until magic happens and all the packets hit the same PSN. Need to tweak the load balancing algorithm if only using calling station ID.
6. MTU issues. Either via some ugly bugs in early code, or a simple misconfiguration like missing cts manual on one side of a link. You can end up dropping packets before 1500 bytes. An easy test it to source a ping from the management interface at the configured MTU size.

Re: ISE Trustsec with 6500

Aravind Ravichandran — Mon, 07 Jan 2019 07:17:56 GMT

Please check the whether the credentials configured at the NAD is matching the credentials configured in ISE for the respective NAD.

You can refer this link to check the credentials at ISE end.

Use this command to configure cts credentials at NAD

cts credentials id <device id> password <password>

After that check whether pac is generated at the NAD using show cts pacs

-Aravind

Re: ISE Trustsec with 6500

Sheraz.Salim — Mon, 07 Jan 2019 09:41:24 GMT

had a similar issue the one you having.

just make sure you have right config. which i assume you do.

aaa new-model

aaa authentication dot1x default group ISE

aaa authorization default group ISE

aaa authorization ISE group ISE

aaa accounting dot1x default start-stop group ISE

aaa group radius server ISE

radius server CISCO

aaa server radius dynamic author

client X.X.X.X. serverkey cisco

radius server CISCO

addres ipv4 x.x.x.x auth-port 1812 acct-port 1813

pac key cisco

radius-server attribute 6 on

radius-server attribute 8

radius-server attribute 25

radius-server vsa sent auth

radius-server vsa sent account

dot1x system-auth

cts authorization list ISE

cts credentials id <device id> password <password>

give it 5 to 10 min. it will download it.

also make sure to use the port 1812 1813.