topic Re: Trustsec Network Authorization not Working in Network Security

Trustsec Network Authorization not Working

titusroz03 — Tue, 23 Apr 2024 08:28:37 GMT

Hi All,

I am newly building trustsec in my environment,trying to add one of the switch under trustsec. Have configured Trustsec settings and COA on the ISE for the switch and added the appropriate aaa commands , radius servers and cts commands.But still switch couldn't download the pac and environment data from ISE.

show cts pacs
No PACs found in the key store.

show cts environment-data
CTS Environment Data
====================
Current state = WAITING_RESPONSE
Last status = In Progress
Environment data is empty
State Machine is running
Retry_timer (60 secs) is running..

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network TRUSTSEC group radius

aaa accounting identity default start-stop group radius

radius server xxxx
address ipv4 xx.xx.xx.xx auth-port 1812 acct-port 1813
pac key 7 12483612111E1E011A2A717D24653017

dynamic author is added too.

Re: Trustsec Network Authorization not Working

Rob Ingram — Tue, 23 Apr 2024 08:37:08 GMT

@titusroz03 have you configured cts authorization <methodlistname> list cts command?

aaa authorization network CTS group ISE_RADIUS
cts authorization list CTS

Here is a working example

Re: Trustsec Network Authorization not Working

titusroz03 — Tue, 23 Apr 2024 10:55:31 GMT

Yes..It is configured already.

aaa authorization network TRUSTSEC group ISE_RADIUS

cts authorization list TRUSTSEC..

And I could also authenticate from switch to ISE through radius.So radius connectivity is fine.

Re: Trustsec Network Authorization not Working

Rob Ingram — Tue, 23 Apr 2024 10:58:35 GMT

@titusroz03 the message states WAITING_RESPONSE (from ISE). Is ISE configured correctly? Does ISE receive the request from the NAD? Is the RADIUS request from the correct IP that is configured in ISE for that NAD?

Re: Trustsec Network Authorization not Working

Aref Alsouqi — Tue, 23 Apr 2024 12:47:48 GMT

Which version of ISE you're using? please note that TLS 1.0 must be enabled before the PAC keys can be exchanged, so if you're using ISE 3.1 you need to go and enable TLS 1.0 manually because it's disabled by default. Alternatively, you can switch to HTTPS with REST API which uses TLS 1.1, but that requires a few configurations steps before it can work correctly. Also, did you configure the TrustSec settings on the switch in network devices in ISE?

Re: Trustsec Network Authorization not Working

titusroz03 — Tue, 23 Apr 2024 13:49:19 GMT

@Aref Alsouqi Yes.TLS1.0 and 1.1 both are enabled on ISE. And for the network device have configured the advanced trustsec configs - Device authentication settings & COA & credentials for config deployment.

Same device Id and password is configured in switch as cts credentials and password is configured as PAC key under radius server and dynamic auth server.

Re: Trustsec Network Authorization not Working

Aref Alsouqi — Tue, 23 Apr 2024 14:55:45 GMT

Thanks for confirming that. Could you please try to verify the cts credentials on the switch with the command "show cts credentials" to ensure they are correct? also, could you please try to issue the command "cts refresh envi" and see if that fixes the issue? if not, could you please enable the following debug commands and share the output for review?

deb cts provision events
deb cts provision packet
deb cts environment-data all

Re: Trustsec Network Authorization not Working

titusroz03 — Wed, 24 Apr 2024 04:23:49 GMT

PFB the below output for credentials

#show cts credentials
CTS password is defined in keystore, device-id = DOT1XTEST-SW01

Tried the environment refresh as well..Still no luck.

PFB debug output:

HK-DOT1XTEST-SW01#
*Apr 24 04:36:38.942: CTS env-data: Force environment-data refresh bitmask 0x2
*Apr 24 04:36:38.942: CTS env-data: download transport-type = CTS_TRANSPORT_IP_UDP
*Apr 24 04:36:38.942: cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 0(env_data_request)
*Apr 24 04:36:38.942: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_waiting_rsp
*Apr 24 04:36:38.942: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 24 04:36:38.942: PAC not found on the device, triggering PAC provisioning for configured servers. Env-data download wiil be retried after 60 seconds

Above debug logs get repeated in 60 secs

Re: Trustsec Network Authorization not Working

Aref Alsouqi — Wed, 24 Apr 2024 10:03:27 GMT

What logs do you see in ISE RADIUS Live Logs coming from the switch?

Re: Trustsec Network Authorization not Working

titusroz03 — Thu, 25 Apr 2024 04:24:11 GMT

I am not seeing any logs from the switch

Re: Trustsec Network Authorization not Working

Aref Alsouqi — Thu, 25 Apr 2024 08:49:16 GMT

Please share the entire configs of the switch and ISE TrustSec configs for review.

Re: Trustsec Network Authorization not Working

titusroz03 — Mon, 29 Apr 2024 07:23:07 GMT

Debug CTS:

*Apr 29 07:23:06.111: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: commsuk] [Source: 10.200.127.44] [localport: 22] at 07:23:06 UTC Mon Apr 29 2024
*Apr 29 07:24:35.649: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 7 password. However, recommended to migrate to strong type-6 encryption
*Apr 29 07:24:39.027: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 29 07:25:12.220: Request for pac provisioning is already in progress.Calling pac provisioning stop
*Apr 29 07:25:12.220: Request successfully sent to PAC Provisioning driver.
*Apr 29 07:25:39.028: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 29 07:26:17.609: %SYS-5-CONFIG_I: Configured from console by commsuk on vty0 (10.200.127.44)
*Apr 29 07:26:39.028: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 29 07:26:51.284: %SYS-5-CONFIG_I: Configured from console by commsuk on vty0 (10.200.127.44)

Config in switch

aaa group server radius ISE-GROUP-RADIUS
server name ISE_US01
server name ISE_US02
server name ISE_UK01
server name ISE_UK02
ip radius source-interface Vlan900

aaa authentication login console local
aaa authentication login vty local
aaa authentication dot1x default group ISE-GROUP-RADIUS
aaa authorization network default group ISE-GROUP-RADIUS
aaa authorization network TRUSTSEC group ISE-GROUP-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE-GROUP-RADIUS

aaa server radius dynamic-author

client 10.100.1.163 server-key

client 10.100.1.164 server-key

cts authorization list TRUSTSEC

cts credentials id HK-DOT1XTEST-SW01 password

dot1x system-auth-control
dot1x critical eapol block

ip radius source-interface Vlan900

radius server ISE_US01
address ipv4 10.100.1.163 auth-port 1812 acct-port 1813
timeout 2
retransmit 3
pac key
!
radius server ISE_US02
address ipv4 10.100.1.164 auth-port 1812 acct-port 1813
key
!
radius server ISE_UK01
address ipv4 10.1.80.164 auth-port 1812 acct-port 1813
key

Re: Trustsec Network Authorization not Working

titusroz03 — Mon, 29 Apr 2024 11:08:59 GMT

There was Mismatch with the device ID which was fixed now.I am able to download the pac..