https://community.cisco.com/t5/network-access-control/ise-2-7-radius-suppression-and-cts/m-p/4950954#M584916 <P>Hi all!</P><P>We're using Cisco Trustsec in our Branch Office and currently investigating an interesting issue - it looks like Radius Suppression does not work for endpoints connected to NADs onboarded for CTS.</P><P>As a result we see all of the failed attempts (MAB, for example) for every endpoint where as having radius suppression turned on:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kefear_0-1698679929406.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201213i992E4D69B6F7C333/image-size/medium?v=v2&amp;px=400" role="button" title="kefear_0-1698679929406.png" alt="kefear_0-1698679929406.png" /></span></P><P>For all of them we see expected reject:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kefear_1-1698679966628.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201214iBCBBE2691BE5BF8D/image-size/medium?v=v2&amp;px=400" role="button" title="kefear_1-1698679966628.png" alt="kefear_1-1698679966628.png" /></span></P><P>Our Radius Suppression Settings:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kefear_2-1698680053522.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201215i3A7BF59A4EB5867A/image-size/medium?v=v2&amp;px=400" role="button" title="kefear_2-1698680053522.png" alt="kefear_2-1698680053522.png" /></span></P><P>I've collected some debugs and it looks like CTS has some impact here:</P><P>2023-10-30 22:17:24,466 DEBUG [Thread-250][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e1a3700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression isRejectEndpoint: EndpointID=6C:24:08:8A:E9:26,ClientSuppression.cpp:424<BR />2023-10-30 22:17:24,466 DEBUG [Thread-250][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e1a3700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression endpoint is not in the misconfigured list,ClientSuppression.cpp:468<BR />2023-10-30 22:17:24,523 DEBUG [Thread-211][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Radius,DEBUG,0x7f348e5a7700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,user=6C-24-08-8A-E9-26,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,FAILED ATTEMPT - AccessReject detected.,RadiusRequestFlow.cpp:758<BR />2023-10-30 22:17:24,523 DEBUG [Thread-211][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e5a7700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,user=6C-24-08-8A-E9-26,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression OnFailure: prevent client suppression for CTS client endpoint,ClientSuppression.cpp:148</P><P>However, i did not find any input on such behavior in documentation. Any thoughts?</P><P>&nbsp;</P> Mon, 30 Oct 2023 15:36:05 GMT kefear 2023-10-30T15:36:05Z https://community.cisco.com/t5/network-access-control/ise-2-7-radius-suppression-and-cts/m-p/4950954#M584916 <P>Hi all!</P><P>We're using Cisco Trustsec in our Branch Office and currently investigating an interesting issue - it looks like Radius Suppression does not work for endpoints connected to NADs onboarded for CTS.</P><P>As a result we see all of the failed attempts (MAB, for example) for every endpoint where as having radius suppression turned on:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kefear_0-1698679929406.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201213i992E4D69B6F7C333/image-size/medium?v=v2&amp;px=400" role="button" title="kefear_0-1698679929406.png" alt="kefear_0-1698679929406.png" /></span></P><P>For all of them we see expected reject:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kefear_1-1698679966628.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201214iBCBBE2691BE5BF8D/image-size/medium?v=v2&amp;px=400" role="button" title="kefear_1-1698679966628.png" alt="kefear_1-1698679966628.png" /></span></P><P>Our Radius Suppression Settings:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kefear_2-1698680053522.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201215i3A7BF59A4EB5867A/image-size/medium?v=v2&amp;px=400" role="button" title="kefear_2-1698680053522.png" alt="kefear_2-1698680053522.png" /></span></P><P>I've collected some debugs and it looks like CTS has some impact here:</P><P>2023-10-30 22:17:24,466 DEBUG [Thread-250][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e1a3700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression isRejectEndpoint: EndpointID=6C:24:08:8A:E9:26,ClientSuppression.cpp:424<BR />2023-10-30 22:17:24,466 DEBUG [Thread-250][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e1a3700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression endpoint is not in the misconfigured list,ClientSuppression.cpp:468<BR />2023-10-30 22:17:24,523 DEBUG [Thread-211][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Radius,DEBUG,0x7f348e5a7700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,user=6C-24-08-8A-E9-26,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,FAILED ATTEMPT - AccessReject detected.,RadiusRequestFlow.cpp:758<BR />2023-10-30 22:17:24,523 DEBUG [Thread-211][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e5a7700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,user=6C-24-08-8A-E9-26,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression OnFailure: prevent client suppression for CTS client endpoint,ClientSuppression.cpp:148</P><P>However, i did not find any input on such behavior in documentation. Any thoughts?</P><P>&nbsp;</P> Mon, 30 Oct 2023 15:36:05 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-radius-suppression-and-cts/m-p/4950954#M584916 kefear 2023-10-30T15:36:05Z https://community.cisco.com/t5/network-access-control/ise-2-7-radius-suppression-and-cts/m-p/4952850#M584959 <P>What version of ISE is this? You might want to open a TAC case. I agree with you - I don't see why CTS should make any difference with respect to the suppression functionality in ISE.</P> Thu, 02 Nov 2023 20:24:21 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-radius-suppression-and-cts/m-p/4952850#M584959 Arne Bier 2023-11-02T20:24:21Z https://community.cisco.com/t5/network-access-control/ise-2-7-radius-suppression-and-cts/m-p/4954703#M585037 <P>Currently we're on&nbsp;<SPAN>2.7.0.356 Patch 6. Agree with you, we'll definitely open SR to investigate this</SPAN></P> Tue, 07 Nov 2023 05:55:38 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-radius-suppression-and-cts/m-p/4954703#M585037 kefear 2023-11-07T05:55:38Z