topic Re: Cisco ISE Trustsec failing in lab 3750E in Network Access Control

Cisco ISE Trustsec failing in lab 3750E

jaismith — Sat, 04 Feb 2023 02:35:27 GMT

For some reason I cannot get my switch to authenticate with ISE for CTS. The live logs show Event 5405 RADIUS Request dropped Failure Reason 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute .

As far as ISE config everything looks good in the "Advanced Trustsec Settings" section. Here is my switch config.

This is on a 3750E running version 15.0(2)SE11

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization network cts-list group ise-group

aaa authorization network TRUSTSEC group ise-group

aaa accounting system default start-stop group ise-group

aaa accounting dot1x default start-stop group radius

radius server ISE

address ipv4 [IP ADDRESS] auth-port 1812 acct-port 1813

automate-tester username radius-test

pac key Passw0rd

aaa group server radius ise-group

server name ISE

aaa authorization network cts-list group ise-group

cts authorization list TRUSTSEC

cts role-based enforcement

cts role-based enforcement vlan-list 1-4094

Re: Cisco ISE Trustsec failing in lab 3750E

Rodrigo Diaz — Sat, 04 Feb 2023 15:10:58 GMT

hello @jaismith , did you see any inputs if you issue the commands "show cts provisioning" and "show cts credentials" ? , please confirm that you have the credentials matching with what you have configured in the trustsec configuration within the NAD section on ISE , lastly I would also confirm that the radius you have is working fine first by removing the cts configuration and testing only radius with ISE to then reenter the cts commands .

Let me know if that helped you.

Re: Cisco ISE Trustsec failing in lab 3750E

hslai — Sun, 05 Feb 2023 21:22:11 GMT

For 3750-E, the last date of support is January 31, 2018 as shown in End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 3750G, 3560G, 3750-E, and 3560-E Series Switches

And, Table 3 End of Sale Group Based Policy Platform Support Matrix in Cisco Group Based Policy Platform and Capability Matrix Release 6.5 shows Catalyst 3750-E series support SGT classification and SXP only but not SGT enforcement.

Re: Cisco ISE Trustsec failing in lab 3750E

Greg Gibbs — Sun, 05 Feb 2023 21:39:06 GMT

I recall an issue with the 'cts-pac-opaque' when using older switches. The way to resolve that issue was to create two separate 'radius server' entries for the same PSN using different ports for authentication/accounting. You would then use one entry for non-pac config and the other entry for the pac-based config and CTS list.

Example:

radius server ise30-sa
address ipv4 192.168.120.180 auth-port 1812 acct-port 1813
key xxxxx
radius server ise30-sa-PAC
address ipv4 192.168.120.180 auth-port 1645 acct-port 1646
pac key xxxxx
!
aaa group server radius ISE_Auth
server name ise30-sa
aaa group server radius ISE_Auth+PAC
server name ise30-sa-PAC
aaa authentication dot1x default group ISE_Auth
aaa authorization network default group ISE_Auth
aaa authorization network CTS-LIST group ISE_Auth+PAC
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE_Auth
!
cts authorization list CTS-LIST

Re: Cisco ISE Trustsec failing in lab 3750E

hslai — Mon, 06 Feb 2023 01:02:03 GMT

@Greg Gibbs : IIRC the workaround is for C3750X or C3560X on 15.0(2)SE train. C3750X and C3560X do support CTS enforcement.

Re: Cisco ISE Trustsec failing in lab 3750E

jaismith — Tue, 07 Feb 2023 23:56:24 GMT

The switch is a 3750-X switch with 3750E software. I just upgraded to 15.2(4)E10. I guess that compatibility matrix is confusing me because I have a 3750-X so I assumed it should work with the upgraded software. Am I wrong? Thanks

SW-1#show inv
NAME: "1", DESCR: "WS-C3750X-48P"
PID: WS-C3750X-48PF-S

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 31-Mar-20 13:22 by prod_rel_team

Re: Cisco ISE Trustsec failing in lab 3750E

jaismith — Thu, 09 Feb 2023 02:24:19 GMT

SW-1#show inv
NAME: "1", DESCR: "WS-C3750X-48P"
PID: WS-C3750X-48PF-S

Re: Cisco ISE Trustsec failing in lab 3750E

bryan-cruz — Thu, 26 Jun 2025 03:36:44 GMT

Hi, Were you able to solve this problem?