Solved: Re: Radius Login Requests / Provisioned Device -> ISE

Xividar · ‎03-31-2020

Hi Guys,

I just provisioned my first device in DNA (yay), I have enabled RADIUS/TACACS Globally, and created the Device Management user in ISE. I can log in to the device okay, and I can see the RADIUS authentication requests in ISE. The issue I have is, there is also a bunch of RADIUS login attempts from a user "UNKOWN". I can't quite understand what these are?

Thanks.

ammahend · ‎03-31-2020

just do "no cts server test"

and confirm if you continue to get the message.

Because the server-liveness is enabled by default, you may receive failed authentication messages from the user CTS-Test-Server. The server-liveness probes a specified RADIUS server or all servers in the dynamic server list, and when a RADIUS server does not respond, the switch will mark it as down and sends the failed authentication message

-hope this helps-

View solution in original post

ammahend · ‎03-31-2020

Can you test a user you are trying to login with ?

also can you share your policy screenshot

-hope this helps-

Mike.Cifelli · ‎03-31-2020

What version of ISE are you running? Do you have hosts connected to your newly provisioned EN? If so how many? Is the ISE detailed log showing any other attributes (can you share screenshot of entire thing)? If hosts are connected to interfaces have you configured interfaces properly for host onboarding within DNAC? Please share any additional information so the community can better assist.

Xividar · ‎03-31-2020

Hi Both,

test aaa group radius comes back as succesful, so that's good - there are no hosts connected at this time, it's a brand new switch. Looking at the logs, it's talking about CTS (TrustSec), it's potentially using some sort of test user which doesn't exist?

xxx#show cts server-list
CTS Server Radius Load Balance = DISABLED
Server Group Deadtime = 20 secs (default)
Global Server Liveness Automated Test Deadtime = 20 secs
Global Server Liveness Automated Test Idle Time = 60 mins
Global Server Liveness Automated Test = ENABLED (default)

Installed list: CTSServerList1-0001, 1 server(s):
*Server: x.x.x.x, port 1812, A-ID xxx
Status = DEAD
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs

!

Mar 31 19:45:37.237: RADIUS: Vendor, Cisco [26] 211
Mar 31 19:45:37.237: RADIUS: Cisco AVpair [1] 205 "cts-pac-opaque= "
Mar 31 19:45:37.237: RADIUS: User-Password [2] 18 *
Mar 31 19:45:37.237: RADIUS: User-Name [1] 17 "CTS-Test-Server"
Mar 31 19:45:37.238: RADIUS: Service-Type [6] 6 Login [1]
Mar 31 19:45:37.238: RADIUS: NAS-IP-Address [4] 6 x.x.x.x

The question is, why is it doing this?

Thanks :)

Benjamin-A · ‎03-31-2020

Have you manually configured the Network Device in the ISE or have you let the DNA-C create the Network Device?

Does the command "show cts pacs" show any output?

Have you tried to delete the Network Device in ISE and then provision the Device in DNA-C again (or editing the user and click save is enough that the Network Device entry in ISE will be recreated).

.:|:..:|:.Please rate helpful posts.:|:..:|:.

Xividar · ‎03-31-2020

I let DNA create the Network Devices. I have deleted it, and will re-provison.

xxxx1#show cts pac
AID: 9E01E7452E123C5D9210975A83A597D9
PAC-Info:
PAC-type = Cisco Trustsec
AID: xxxxxxx
I-ID: xxxxxx
A-ID-Info: Identity Services Engine
Credential Lifetime: 19:48:25 BST Mon Jun 29 2020
PAC-Opaque: 000200B800030001000400109E01E7452E123C5D9210975A83A597D90006009C000301004DAD09711370C4894B3E01B0DAB39389000000135E7F80E600093A8089CF95E5E2014E0766106F1AE827EA30BA5D0208F3E64ED60536DB0D53036AB620A853A74AABE4B4109E299A5EB820075468199E438EC2B677509D8498D9B88E3239EF12F8F95E20F5CD06E5030007C9B6A912A682FBF1BE22E9C4C799FBFAA645BE39E12CFC293A14DAA00E7BA289B133F832A5E4598C155086A085
Refresh timer is set for 12w4d

Thank you.

Xividar · ‎03-31-2020

Deleted it from Inventory, re-added, re-synched, gone back to the same state.

If I do a show cts environment-all see all of my SGTs, with State = Complete.
So it seems to be failing on InstalledList - CTSServerList1-0001 only.

Mike.Cifelli · ‎03-31-2020

Issue a #show cts provisioning. This will display outstanding Cisco TrustSec provisioning jobs. If there are any hung jobs try a re-provision. If that doesn’t clear them you can attempt a reboot of switch. Also, something else to try if the hung jobs still exist is you can manually remove radius server config and re-add it.

ammahend · ‎03-31-2020

just do "no cts server test"

and confirm if you continue to get the message.

Because the server-liveness is enabled by default, you may receive failed authentication messages from the user CTS-Test-Server. The server-liveness probes a specified RADIUS server or all servers in the dynamic server list, and when a RADIUS server does not respond, the switch will mark it as down and sends the failed authentication message

-hope this helps-

Xividar · ‎04-01-2020

Thanks Ammahend, disabling it worked, although now it reports as Installed Server List Status = Alive ? Strange, but anyway, thanks. That stopped the ISE entries. I need to read up on CTS and understand it a bit more.

ammahend · ‎04-01-2020

https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.pdf

page12-42 talks more about usage guideline for cts server test, you can start from here.

-hope this helps-

andy!doesnt!like!uucp · ‎07-07-2021

for more accuracy on 16.12.* :0)
no cts server test all enable