Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3981
Views
11
Helpful
4
Replies

Cisco ISE and DNAC TrustSec credentials

Go to solution
AigarsK
Level 1
Level 1

‎10-10-2020 03:09 AM - edited ‎10-10-2020 03:10 AM

Hi All,

Just wanted you advice on TrustSec configuration of switches when doing SDA with DNAC and Cisco ISE.

 

The issue I have seen in a field for this is that Cisco DNA Center goes about discovering switch and later pushing config it to take part in SDA, DNA Center created NAD in Cisco ISE and provisions all configuration and settings under NAD, that includes Radius/TACACS shared secret and TrustSec.

TrustSec ID and Password are set to the switch Serial number. Same logic applies when switch is part of the stack, so which ever is the Master/Active switch in stack, its Serial is used for TrustSec configuration.

So now to the problem, if switches are not provisioned with setting switch stack member priority, this Master/Active switch changes, it appears as if locally on switch it changes its ID and Password thus preventing SGT pull from ISE as credentials are wrong.

Of course once switch has been configured properly for the stack, there is still a chance for issues, lets say I have two or more switches in stack, Master/Active is the first switch, I have two P2P L3 uplinks to switch 1 and 2. Switch 1 dies and and entire stack is rebooted, so the Switch 2 becomes Master/Active switch for the stack, this still leaves me with TrustSec and ISE as credentials would have changed.

I know that technically I have bigger issues to worry as I have dead switch, but this is why we have multiple switches, and uplinks that are put in place to both provide redundancy if one of my distribution/core devices die and I have redundant path to provide connectivity to the edge, but this is also why switches are in stack, so that one switch being dead does not mean that I have 100% user impact on edge, yes I might have 48 of endpoints having no connectivity, so having max 8 switches in stack on 9k series, I could potentially have another 336 endpoints work properly.

So what is the deal with TrustSec, do I go about provisioning switches with DNA Center and then go about changing CTS credentials to something else than Serial Number of switch, how do I prevent CTS credentials changing if another switch takes over the Master/Active switch role and switch stack gets rebooted or am I not aware of something how CTS credentials are updated during the boot of switch?

BTW: CTS credentials do not appear in running config, similarly as you do not see switch stack member priorities in running config. From some other posts I see that they are saved in "environment variable"

3 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎10-12-2020 01:01 AM - edited ‎10-12-2020 01:01 AM

We had ran into a similar issue recently, I think the reason why you would see this behaviour is because DNA-C does not seem to be able to push the new CTS creds (device-id) to the switch, so on the switch you would still see the old creds, however, on ISE you would see the new ones. I think the only fix to this is just to manually change the cts creds on the switch.

As DNA-C latest 1.3.3.x, there would not be a way to use the hostname as the cts creds, only the serial number. Hopefully this has been added as a new feature to the 2.1.2.0 release.

Cts creds should be visible on the switch with the command sh cts credentials.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Aref Alsouqi
VIP
VIP

‎10-12-2020 01:01 AM - edited ‎10-12-2020 01:01 AM

We had ran into a similar issue recently, I think the reason why you would see this behaviour is because DNA-C does not seem to be able to push the new CTS creds (device-id) to the switch, so on the switch you would still see the old creds, however, on ISE you would see the new ones. I think the only fix to this is just to manually change the cts creds on the switch.

As DNA-C latest 1.3.3.x, there would not be a way to use the hostname as the cts creds, only the serial number. Hopefully this has been added as a new feature to the 2.1.2.0 release.

Cts creds should be visible on the switch with the command sh cts credentials.

0 Helpful

Go to solution
AigarsK
Level 1
Level 1
In response to Aref Alsouqi

‎10-12-2020 02:41 AM

Thanks Aref,
I am familiar with the show commands, thanks anyway.
It is odd that this crucial piece of config is allowed to be missed for being aligned during these conditions as they are likely to be encountered in a field.

Will see what new version of DNA-C brings to the table then.

 

 

 

Go to solution
bunjiega
Level 1
Level 1

‎09-17-2021 10:49 AM

Similar issue - DNAC keeps changing the switches credentials to the serial number were I had previously set it to the hostname. This causes issues when it breaks.

Would be nice to have a hostname option or to disable just the CTS credential piece from DNAC.

Go to solution
gera.david
Level 1
Level 1

‎06-21-2022 01:36 PM

Any update on this? I see no difference in DNAC 2.2.3

0 Helpful
Customers Also Viewed These Support Documents