03-31-2020 12:01 PM
Hi Guys,
I just provisioned my first device in DNA (yay), I have enabled RADIUS/TACACS Globally, and created the Device Management user in ISE. I can log in to the device okay, and I can see the RADIUS authentication requests in ISE. The issue I have is, there is also a bunch of RADIUS login attempts from a user "UNKOWN". I can't quite understand what these are?
Thanks.
Solved! Go to Solution.
03-31-2020 08:53 PM
just do "no cts server test"
and confirm if you continue to get the message.
Because the server-liveness is enabled by default, you may receive failed authentication messages from the user CTS-Test-Server. The server-liveness probes a specified RADIUS server or all servers in the dynamic server list, and when a RADIUS server does not respond, the switch will mark it as down and sends the failed authentication message
03-31-2020 12:51 PM - edited 03-31-2020 12:51 PM
03-31-2020 12:54 PM
03-31-2020 01:17 PM
Hi Both,
test aaa group radius comes back as succesful, so that's good - there are no hosts connected at this time, it's a brand new switch. Looking at the logs, it's talking about CTS (TrustSec), it's potentially using some sort of test user which doesn't exist?
xxx#show cts server-list
CTS Server Radius Load Balance = DISABLED
Server Group Deadtime = 20 secs (default)
Global Server Liveness Automated Test Deadtime = 20 secs
Global Server Liveness Automated Test Idle Time = 60 mins
Global Server Liveness Automated Test = ENABLED (default)
Installed list: CTSServerList1-0001, 1 server(s):
*Server: x.x.x.x, port 1812, A-ID xxx
Status = DEAD
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
!
!
Mar 31 19:45:37.237: RADIUS: Vendor, Cisco [26] 211
Mar 31 19:45:37.237: RADIUS: Cisco AVpair [1] 205 "cts-pac-opaque= "
Mar 31 19:45:37.237: RADIUS: User-Password [2] 18 *
Mar 31 19:45:37.237: RADIUS: User-Name [1] 17 "CTS-Test-Server"
Mar 31 19:45:37.238: RADIUS: Service-Type [6] 6 Login [1]
Mar 31 19:45:37.238: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
The question is, why is it doing this?
Thanks :)
03-31-2020 01:29 PM - edited 03-31-2020 01:39 PM
Have you manually configured the Network Device in the ISE or have you let the DNA-C create the Network Device?
Does the command "show cts pacs" show any output?
Have you tried to delete the Network Device in ISE and then provision the Device in DNA-C again (or editing the user and click save is enough that the Network Device entry in ISE will be recreated).
03-31-2020 01:42 PM
I let DNA create the Network Devices. I have deleted it, and will re-provison.
xxxx1#show cts pac
AID: 9E01E7452E123C5D9210975A83A597D9
PAC-Info:
PAC-type = Cisco Trustsec
AID: xxxxxxx
I-ID: xxxxxx
A-ID-Info: Identity Services Engine
Credential Lifetime: 19:48:25 BST Mon Jun 29 2020
PAC-Opaque: 000200B800030001000400109E01E7452E123C5D9210975A83A597D90006009C000301004DAD09711370C4894B3E01B0DAB39389000000135E7F80E600093A8089CF95E5E2014E0766106F1AE827EA30BA5D0208F3E64ED60536DB0D53036AB620A853A74AABE4B4109E299A5EB820075468199E438EC2B677509D8498D9B88E3239EF12F8F95E20F5CD06E5030007C9B6A912A682FBF1BE22E9C4C799FBFAA645BE39E12CFC293A14DAA00E7BA289B133F832A5E4598C155086A085
Refresh timer is set for 12w4d
Thank you.
03-31-2020 01:54 PM - edited 03-31-2020 02:01 PM
Deleted it from Inventory, re-added, re-synched, gone back to the same state.
If I do a show cts environment-all see all of my SGTs, with State = Complete.
So it seems to be failing on InstalledList - CTSServerList1-0001 only.
03-31-2020 04:24 PM
03-31-2020 08:53 PM
just do "no cts server test"
and confirm if you continue to get the message.
Because the server-liveness is enabled by default, you may receive failed authentication messages from the user CTS-Test-Server. The server-liveness probes a specified RADIUS server or all servers in the dynamic server list, and when a RADIUS server does not respond, the switch will mark it as down and sends the failed authentication message
04-01-2020 01:08 AM
Thanks Ammahend, disabling it worked, although now it reports as Installed Server List Status = Alive ? Strange, but anyway, thanks. That stopped the ISE entries. I need to read up on CTS and understand it a bit more.
04-01-2020 07:36 AM
https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.pdf
page12-42 talks more about usage guideline for cts server test, you can start from here.
07-07-2021 11:33 AM
for more accuracy on 16.12.* :0)
no cts server test all enable
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: