topic Can you post the output of in Network Access Control

Cisco TrustSec Catalyst 3650

matthewceroni — Mon, 11 Mar 2019 05:08:16 GMT

Hi:

I am attempting to follow the Cisco TrustSec Deployment guide (http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf).

So far things have been going well. I am at the point of adding in my Seed device. After completing the setup on ISE and then the switch itself (a Cisco Catalyst 3650) I am note that the environment data doesn't appear to have been download. However the PAC file is successfully generated.

fos01-l3-01#show cts pacs

AID: 43157A4E6832894FE4952D0A1F6167BB

PAC-Info:

PAC-type = Cisco Trustsec

AID: 43157A4E6832894FE4952D0A1F6167BB

I-ID: fos01-l3-01

A-ID-Info: fos01-ise-01v

Credential Lifetime: 11:00:43 PST Jan 22 2015

PAC-Opaque: 000200B8000300010004001043157A4E6832894FE4952D0A1F6167BB0006009C00030100B3696FBA1F7ABE1DAB104CCB18E875850000001354483C8400093A80B5EF16086495444FD0BDB5A88AE9AA775DE1A1AC483A2770B0C5A22D00B2386EFA6BE4847D7CBF2A6FD3C4D623DCD624AB1916A9E3960E082A8897B45D894E9CFDAA6FA8BFF5CBB1E30D17CF985B2913BF6FB105EAE5103DA2E017FB35EA06887D45F99C7D27FC987AE25EF0358CF08CFB4F7D000AC3A42E87640BA1

Refresh timer is set for 12w5d

fos01-l3-01#show cts environment-data

CTS Environment Data

====================

Current state = START

Last status = Failed

Environment data is empty

State Machine is running

Retry_timer (60 secs) is running

As you can see it says Last status = Failed.

Enabling debug logging for cts outputs the following

Oct 24 17:35:12.455: CTS env-data: Time to retry env data download

Oct 24 17:35:12.455: cts_env_data START: during state env_data_start, got event 0(env_data_request)

Oct 24 17:35:12.455: @@@ cts_env_data START: env_data_start -> env_data_waiting_rsp

Oct 24 17:35:12.455: env_data_waiting_rsp_enter: state = WAITING_RESPONSE

Oct 24 17:35:12.455: cts_aaa_is_fragmented: (CTS env-data SM)NOT-FRAG attr_q(0)

Oct 24 17:35:12.455: env_data_request_action: state = WAITING_RESPONSE

Oct 24 17:35:12.455: cts_env_data_is_complete: FALSE, req(x0), rec(x0)

Oct 24 17:35:12.455: cts_env_data_is_complete: FALSE, req(x0), rec(x0), expect(x81), complete1(x85), complete2(xB5), complete3(x1485)

Oct 24 17:35:12.456: env_data_request_action: state = WAITING_RESPONSE, received = 0x0 request = 0x0

Oct 24 17:35:12.456: cts_env_data_aaa_req_setup : aaa_id = 4240

Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)Private group appears DEAD, attempt public group

Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)No public method list found

Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)Failed to get AAA method list handle.

Oct 24 17:35:12.456: cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 7(env_data_failed)

Oct 24 17:35:12.456: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_start

Oct 24 17:35:12.456: env_data_start_enter: state = START

Oct 24 17:35:12.456: env_data_error_action: state = START

Oct 24 17:35:12.456: env_data_error_action: state = START, received = 0x0 request = 0x0

Within ISE itself it shows a successful authentication and PAC generation. However the log messages there are as follows. Not sure if it is significant that it says Access-Reject status at the end.

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15012	Selected Access Service
	11507	Extracted EAP-Response/Identity
	12100	Prepared EAP-Request proposing EAP-FAST with challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12102	Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12808	Prepared TLS ServerKeyExchange message
	12810	Prepared TLS ServerDone message
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12812	Extracted TLS ClientKeyExchange message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12131	EAP-FAST built anonymous tunnel for purpose of PAC provisioning
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12125	EAP-FAST inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
	15041	Evaluating Identity Policy
	15013	Selected Identity Source - Internal CTS Devices
	24213	Found SGA Device in Network Devices and AAA Clients
	22037	Authentication Passed
	11824	EAP-MSCHAP authentication attempt passed
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response
	11814	Inner EAP-MSCHAP authentication succeeded
	11519	Prepared EAP-Success for inner EAP method
	12128	EAP-FAST inner method finished successfully
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	12126	EAP-FAST cryptobinding verification passed
	12200	Approved EAP-FAST client Tunnel PAC request
	15016	Selected Authorization Profile -
	12173	Successfully finished EAP-FAST CTS PAC provisioning/update
	12105	Prepared EAP-Request with another EAP-FAST challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12104	Extracted EAP-Response containing EAP-FAST challenge-response
	11401	Prepared RADIUS Access-Reject after the successful in-band PAC provisioning
	11504	Prepared EAP-Failure
	11003	Returned RADIUS Access-Reject

Any insight would be appreciated.

Thanks

Hi Mattew,I'm trying to

oren_cohen — Tue, 31 Mar 2015 19:39:26 GMT

Hi Mattew,

I'm trying to integrate TrustSec as well, using Cisco ISE, on 3560 switch as a seed device. I'm getting the exact same symptoms as you do - the ISE reports that the switch has successfully authenticated, but no environmental data has been downloaded.

I followed this guide for configuring the ISE and the switch.

Have you been able to resolve this issue?

Thank you very much.

I also have the same issue

tony.parker — Mon, 21 Sep 2015 22:33:53 GMT

I also have the same issue.

Has anyone found a solution yet?

Thanks

Can you post the output of

Ryan Wolfe — Fri, 04 Dec 2015 02:32:36 GMT

Can you post the output of "show run aaa"? I was having the same issue and it was the syntax of the "aaa authorization network" statement. I was incorrectly specifying the method list.

It should look like this:

aaa authorization network [radius-server-group] group radius

I had it like this before and it wasn't working:

aaa authorization network cts group [radius-server-group]

Good luck,

Ryan

Check out my reply above and

Ryan Wolfe — Fri, 04 Dec 2015 02:33:54 GMT

Check out my reply above and see if that helps.

Hi, my AAA Authorization

khorheesoo — Sun, 12 Jun 2016 13:49:15 GMT

Hi, my AAA Authorization network command is correct. Yet the problem persist. Anyone found any solution for this?

Appreciate if anyone could shed some light here.

Thanks

Re: Cisco TrustSec Catalyst 3650

CCNASithk — Mon, 25 Sep 2017 18:46:32 GMT

my problem was I forgot the
cts authorization list <auth-list>
there was an aaa radius list to use, but I never told it to use it.

Re: Hi Mattew,I'm trying to

derrick.ray1 — Tue, 14 Nov 2017 16:55:35 GMT

Hi,

I was just reading this and wondering what the result is if you run a "cts refresh environmental-data"? Does it pull down the data as expected?

HELP ME - PAC it's OK, but the Environment-Data NOK

Rafael Trujilho — Mon, 26 Feb 2018 02:10:36 GMT

Hi Community,

I have a CTS deployment with:

- ISE v2.0.1_p4

- Cisco switches 3850 (classification (dynamic - AuthZ from ISE) / propagation (SXP) / enforcement)

- Cisco switches 6500 - Sup2T (classification (static - IP-to-SGT) / propagation (SXP) / enforcement)

Currently the deployment passed to presents the problem on the environment-data download, from 3850 and 6K switches, where the status showing:

CTS Environment Data

====================

Current state = WAITING_RESPONSE

Last status = Timeout waiting for response

Environment data is empty

State Machine is running

Retry_timer (60 secs) is not running

The symptom appear to be from ISE side... In some cases 3850 and 6500 switches I don't have the same problem on environment-data. The refresh <cts refresh environment-data> is working.

Let me know if this symptom is experienced by other colleagues? Please.

Re: Can you post the output of

bakurenko — Fri, 14 Sep 2018 19:42:33 GMT

It helped me.

In my case:

aaa group server radius ISE-GROUP
 server name ISE
aaa authorization network ISE-GROUP group ISE-GROUP 
cts authorization list ISE-GROUP
radius server ISE
 address ipv4 x.x.x.x auth-port 1645 acct-port 1646
 pac key xxxxxxxx

Re: Can you post the output of

oatroshc — Sun, 30 Jun 2019 17:32:13 GMT

@bakurenko wrote:

It helped me.

In my case:

aaa group server radius ISE-GROUP
 server name ISE
aaa authorization network ISE-GROUP group ISE-GROUP 
cts authorization list ISE-GROUP
radius server ISE
 address ipv4 x.x.x.x auth-port 1645 acct-port 1646
 pac key xxxxxxxx

Thanks,

This works for me as well - switch refreshed okay.

What I did then -

no aaa authorization network ISE-GROUP group ISE-GROUP

Now I enter what was 100% non-working before:

aaa authorization network ISE group ISE-GROUP

cts auth list ISE

crs refresh env

and I see it works. Miracle.

Re: Can you post the output of

Heriberto Diaz — Wed, 27 Nov 2019 16:36:51 GMT

This solutions works for me DNAC with ISE, just change the ports

auth-port 1812 acct-port 1813 for auth-port 1645 acct-port 1646

Regards.