ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!

  • Register for the monthly Cisco DNA Center Ask the Expert Sessions to learn about Cisco DNA Center configuration and deployment.
  • 360
    Views
    5
    Helpful
    10
    Replies
    Highlighted
    Beginner

    Radius Login Requests / Provisioned Device -> ISE

    Hi Guys,

    I just provisioned my first device in DNA (yay), I have enabled RADIUS/TACACS Globally, and created the Device Management user in ISE. I can log in to the device okay, and I can see the RADIUS authentication requests in ISE. The issue I have is, there is also a bunch of RADIUS login attempts from a user "UNKOWN". I can't quite understand what these are?

    Thanks.

     

    Annotation 2020-03-31 195537.pngAnnotation 2020-03-31 200005.png

    1 ACCEPTED SOLUTION

    Accepted Solutions
    Highlighted
    Contributor

    Re: Radius Login Requests / Provisioned Device -> ISE

    just do "no cts server test"

    and confirm if you continue to get the message.

    Because the server-liveness is enabled by default, you may receive failed authentication messages from the user CTS-Test-Server. The server-liveness probes a specified RADIUS server or all servers in the dynamic server list, and when a RADIUS server does not respond, the switch will mark it as down and sends the failed authentication message

    -Rate helpful posts-

    View solution in original post

    10 REPLIES 10
    Highlighted
    Contributor

    Re: Radius Login Requests / Provisioned Device -> ISE

    Can you test a user you are trying to login with ?

    also can you share your policy screenshot

    -Rate helpful posts-
    Highlighted
    VIP Collaborator

    Re: Radius Login Requests / Provisioned Device -> ISE

    What version of ISE are you running? Do you have hosts connected to your newly provisioned EN? If so how many? Is the ISE detailed log showing any other attributes (can you share screenshot of entire thing)? If hosts are connected to interfaces have you configured interfaces properly for host onboarding within DNAC? Please share any additional information so the community can better assist.
    Highlighted
    Beginner

    Re: Radius Login Requests / Provisioned Device -> ISE

    Hi Both,

    test aaa group radius comes back as succesful, so that's good - there are no hosts connected at this time, it's a brand new switch. Looking at the logs, it's talking about CTS (TrustSec), it's potentially using some sort of test user which doesn't exist?

    xxx#show cts server-list
    CTS Server Radius Load Balance = DISABLED
    Server Group Deadtime = 20 secs (default)
    Global Server Liveness Automated Test Deadtime = 20 secs
    Global Server Liveness Automated Test Idle Time = 60 mins
    Global Server Liveness Automated Test = ENABLED (default)

    Installed list: CTSServerList1-0001, 1 server(s):
    *Server: x.x.x.x, port 1812, A-ID xxx
    Status = DEAD
    auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs

    !

    !

    Mar 31 19:45:37.237: RADIUS: Vendor, Cisco [26] 211
    Mar 31 19:45:37.237: RADIUS: Cisco AVpair [1] 205 "cts-pac-opaque= "
    Mar 31 19:45:37.237: RADIUS: User-Password [2] 18 *
    Mar 31 19:45:37.237: RADIUS: User-Name [1] 17 "CTS-Test-Server"
    Mar 31 19:45:37.238: RADIUS: Service-Type [6] 6 Login [1]
    Mar 31 19:45:37.238: RADIUS: NAS-IP-Address [4] 6 x.x.x.x

    The question is, why is it doing this?

    Thanks :)

    Highlighted
    Beginner

    Re: Radius Login Requests / Provisioned Device -> ISE

    Have you manually configured the Network Device in the ISE or have you let the DNA-C create the Network Device?

    Does the command "show cts pacs" show any output?

    Have you tried to delete the Network Device in ISE and then provision the Device in DNA-C again (or editing the user and click save is enough that the Network Device entry in ISE will be recreated). 


    .:|:..:|:.Please rate helpful posts.:|:..:|:.
    Highlighted
    Beginner

    Re: Radius Login Requests / Provisioned Device -> ISE

    I let DNA create the Network Devices. I have deleted it, and will re-provison.

    xxxx1#show cts pac
    AID: 9E01E7452E123C5D9210975A83A597D9
    PAC-Info:
    PAC-type = Cisco Trustsec
    AID: xxxxxxx
    I-ID: xxxxxx
    A-ID-Info: Identity Services Engine
    Credential Lifetime: 19:48:25 BST Mon Jun 29 2020
    PAC-Opaque: 000200B800030001000400109E01E7452E123C5D9210975A83A597D90006009C000301004DAD09711370C4894B3E01B0DAB39389000000135E7F80E600093A8089CF95E5E2014E0766106F1AE827EA30BA5D0208F3E64ED60536DB0D53036AB620A853A74AABE4B4109E299A5EB820075468199E438EC2B677509D8498D9B88E3239EF12F8F95E20F5CD06E5030007C9B6A912A682FBF1BE22E9C4C799FBFAA645BE39E12CFC293A14DAA00E7BA289B133F832A5E4598C155086A085
    Refresh timer is set for 12w4d

    Thank you.

    Highlighted
    Beginner

    Re: Radius Login Requests / Provisioned Device -> ISE

    Deleted it from Inventory, re-added, re-synched, gone back to the same state.

    If I do a show cts environment-all see all of my SGTs, with State = Complete.
    So it seems to be failing on InstalledList - CTSServerList1-0001 only.

    Highlighted
    VIP Collaborator

    Re: Radius Login Requests / Provisioned Device -> ISE

    Issue a #show cts provisioning. This will display outstanding Cisco TrustSec provisioning jobs. If there are any hung jobs try a re-provision. If that doesn’t clear them you can attempt a reboot of switch. Also, something else to try if the hung jobs still exist is you can manually remove radius server config and re-add it.
    Highlighted
    Contributor

    Re: Radius Login Requests / Provisioned Device -> ISE

    just do "no cts server test"

    and confirm if you continue to get the message.

    Because the server-liveness is enabled by default, you may receive failed authentication messages from the user CTS-Test-Server. The server-liveness probes a specified RADIUS server or all servers in the dynamic server list, and when a RADIUS server does not respond, the switch will mark it as down and sends the failed authentication message

    -Rate helpful posts-

    View solution in original post

    Highlighted
    Beginner

    Re: Radius Login Requests / Provisioned Device -> ISE

    Thanks Ammahend, disabling it worked, although now it reports as Installed Server List Status = Alive ? Strange, but anyway, thanks. That stopped the ISE entries. I need to read up on CTS and understand it a bit more.

    Highlighted
    Contributor

    Re: Radius Login Requests / Provisioned Device -> ISE

    https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.pdf

     

    page12-42 talks more about usage guideline for cts server test, you can start from here.

    -Rate helpful posts-
    Content for Community-Ad