topic Re: Cisco ISE - Out Of Band (OOB) TrustSec PAC in Network Access Control

Cisco ISE - Out Of Band (OOB) TrustSec PAC

MattMH — Mon, 10 Jun 2024 13:36:04 GMT

I am having issues getting my TrustSec policy working on one my switches. When I run the following command I see,

27-Switch#show cts environment-data
CTS Environment Data
====================
Current state = START (always in START)
Last status = Cleared

Then I started debugging (debug cts environment-data all) the switch and see this error..."PAC not found on the device"

I went to the device in ISE, compared it to the switches that are working and noticed the OOB cert has expired. No other switch (that I am aware of yet) has an expired cert.

I went ahead a clicked the "Generate PAC' on the device in ISE. However, what I find odd is that after I generate the cert, my username is in the "Issued By" section

Every other device, which none of them have expired certs, shows Issued By as "network device", which leads me to believe something automated is being used to regenerate these certs.

Regenerating the PAC did not resolve the issue, so with all that said, could have just sent you down the wrong rabbit hole and this OOB is all unrelated. 1 of my 100+ switches does not work, which started last week.

Re: Cisco ISE - Out Of Band (OOB) TrustSec PAC

Arne Bier — Mon, 10 Jun 2024 20:19:32 GMT

Did you use DNAC (integrated with ISE at that time) to onboard the switches in a greenfield scenario? In that case DNAC does all this for you and I have never understood how this works.

I have tried reading various Cisco articles on PAC but I just don't get it into my head. I wish someone with a knack for explaining this could write up a simple article about why anyone needs PAC and how it works, and best of all, how to fix it when it breaks.

If you're not using SDA, DNAC provisioning still pushes PAC/CTS stuff to the switches - AFAIK, when not using SDA you don't need PAC in the device's RADIUS shared secret config. Not sure why DNAC insists on pushing this out, and I have not found an option in DNAC to disable this.

Re: Cisco ISE - Out Of Band (OOB) TrustSec PAC

MattMH — Tue, 11 Jun 2024 12:17:54 GMT

@Arne Bier ... thanks for the response. The docs are hard to find with regards to this. However, I was able to get my issue resolved by doing this. 1) I was able to regenerate the PAC by issuing cts refresh pac from the switch. I don't know why this switch required manual intervention. DNAC is involved, so I will have to look into that. Once I issue that command, the device in ISE was showing the PAC issued by "Network Device". 2) We had another issue with this switches AAA setup being misconfigured as well. After these changes were made, our TrustSec/SXP mappings were present on this switch when viewing the out from the show cts environment-data command.

Re: Cisco ISE - Out Of Band (OOB) TrustSec PAC

TomM — Mon, 22 Jul 2024 19:25:42 GMT

Dear Cisco, I concur with Arne on why Catalyst Center deploys this CTS configuration on the switch and on ISE when there is no intention to use it. Or if there is some reason to use this config other than SDA, please enlighten us. And I also add my voice to requesting some detailed documentation on this whole process involving Catalyst Center, ISE, and the device. And how to avoid these nagging PAC expiration issues. thanks for bringing this up Arne.

Re: Cisco ISE - Out Of Band (OOB) TrustSec PAC

Arne Bier — Tue, 23 Jul 2024 02:57:50 GMT

thanks for the feedback but I cannot guarantee that anyone from Cisco will see your comments. It's probably best to get Cisco's attention via your local account teams.