cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1259
Views
10
Helpful
3
Replies
AigarsK
Beginner

Cisco ISE and DNAC TrustSec credentials

Hi All,

Just wanted you advice on TrustSec configuration of switches when doing SDA with DNAC and Cisco ISE.

 

The issue I have seen in a field for this is that Cisco DNA Center goes about discovering switch and later pushing config it to take part in SDA, DNA Center created NAD in Cisco ISE and provisions all configuration and settings under NAD, that includes Radius/TACACS shared secret and TrustSec.

TrustSec ID and Password are set to the switch Serial number. Same logic applies when switch is part of the stack, so which ever is the Master/Active switch in stack, its Serial is used for TrustSec configuration.

So now to the problem, if switches are not provisioned with setting switch stack member priority, this Master/Active switch changes, it appears as if locally on switch it changes its ID and Password thus preventing SGT pull from ISE as credentials are wrong.

Of course once switch has been configured properly for the stack, there is still a chance for issues, lets say I have two or more switches in stack, Master/Active is the first switch, I have two P2P L3 uplinks to switch 1 and 2. Switch 1 dies and and entire stack is rebooted, so the Switch 2 becomes Master/Active switch for the stack, this still leaves me with TrustSec and ISE as credentials would have changed.

I know that technically I have bigger issues to worry as I have dead switch, but this is why we have multiple switches, and uplinks that are put in place to both provide redundancy if one of my distribution/core devices die and I have redundant path to provide connectivity to the edge, but this is also why switches are in stack, so that one switch being dead does not mean that I have 100% user impact on edge, yes I might have 48 of endpoints having no connectivity, so having max 8 switches in stack on 9k series, I could potentially have another 336 endpoints work properly.

So what is the deal with TrustSec, do I go about provisioning switches with DNA Center and then go about changing CTS credentials to something else than Serial Number of switch, how do I prevent CTS credentials changing if another switch takes over the Master/Active switch role and switch stack gets rebooted or am I not aware of something how CTS credentials are updated during the boot of switch?

BTW: CTS credentials do not appear in running config, similarly as you do not see switch stack member priorities in running config. From some other posts I see that they are saved in "environment variable"

1 ACCEPTED SOLUTION

Accepted Solutions
Aref Alsouqi
VIP Rising star

We had ran into a similar issue recently, I think the reason why you would see this behaviour is because DNA-C does not seem to be able to push the new CTS creds (device-id) to the switch, so on the switch you would still see the old creds, however, on ISE you would see the new ones. I think the only fix to this is just to manually change the cts creds on the switch.

As DNA-C latest 1.3.3.x, there would not be a way to use the hostname as the cts creds, only the serial number. Hopefully this has been added as a new feature to the 2.1.2.0 release.

Cts creds should be visible on the switch with the command sh cts credentials.

View solution in original post

3 REPLIES 3
Aref Alsouqi
VIP Rising star

We had ran into a similar issue recently, I think the reason why you would see this behaviour is because DNA-C does not seem to be able to push the new CTS creds (device-id) to the switch, so on the switch you would still see the old creds, however, on ISE you would see the new ones. I think the only fix to this is just to manually change the cts creds on the switch.

As DNA-C latest 1.3.3.x, there would not be a way to use the hostname as the cts creds, only the serial number. Hopefully this has been added as a new feature to the 2.1.2.0 release.

Cts creds should be visible on the switch with the command sh cts credentials.

View solution in original post

Thanks Aref,
I am familiar with the show commands, thanks anyway.
It is odd that this crucial piece of config is allowed to be missed for being aligned during these conditions as they are likely to be encountered in a field.

Will see what new version of DNA-C brings to the table then.

 

 

 

Jeremy Halcomb
Beginner

Similar issue - DNAC keeps changing the switches credentials to the serial number were I had previously set it to the hostname. This causes issues when it breaks.

Would be nice to have a hostname option or to disable just the CTS credential piece from DNAC.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel