Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1819
Views
0
Helpful
2
Replies

Trustsec and cts critical-authentication on wired dot1x

Go to solution
Michele Toblini
Level 1
Level 1

‎11-22-2019 04:41 AM - edited ‎02-21-2020 11:12 AM

Hi,

I'm deploying wired dot1x with trustsec and I was wondering what would have happened if ISE wasn't available.

I did some research and I found out that the solution was critical authentication but the guide is not completely clear.

Here is the exemple.

Device> enable
Device# configure terminal
Device(config)# radius-server dead-criteria time 15 tries 3
Device(config)# radius-server deadtime 10
Device(config)# radius server RASERV-1
Device(config-radius-server)# address ipv4 172.20.254.4 auth-port 1812 acct-port 1813
Device(config-radius-server)# automate-tester username dummy
Device(config-radius-server)# pac key 7 mypackey
Device(config-radius-server)# exit
Device(config)# radius server RASERV-2
Device(config-radius-server)# address ipv4 172.20.254.8 auth-port 1645 acct-port 1646
Device(config-radius-server)# automate-tester username dummy
Device(config-radius-server)# pac key 7 mypackey
Device(config-radius-server)# exit
Device(config)# cts dot1x-server-timeout 30
Device(config)# cts dot1x-supp-timeout 30
Device(config)# cts server test all idle-time 3
Device(config)# cts critical-authentication default peer-sgt 5
Device(config)# cts critical-authentication
Device(config)# cts critical-authentication default pmk password123
Device(config)# cts cache nv-storage bootdisk:cache
Device(config)# cts critical-authentication fallback cached
Device(config)# exit

Here's my questions:

1) why would we need a pmk password if Ise is down?

2) we set a default sgt but what's the meaning and how we used it and where

3) why we need a test user to check the availabilty of ise if we have default timers?

 

Thanks 

 

Michele

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-07-2019 12:50 PM

Most of the info is at Critical Authentication Overview

Some more recent recommendation is not to use automate-tester with CTS.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-07-2019 12:50 PM

Most of the info is at Critical Authentication Overview

Some more recent recommendation is not to use automate-tester with CTS.

0 Helpful

Go to solution
Michele Toblini
Level 1
Level 1
In response to hslai

‎12-15-2019 09:53 AM

thanks for the reply but i wrote this thread after reading your documentation and it's not clear.

also why should I need automate tester? 

0 Helpful
Customers Also Viewed These Support Documents