Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
1
Helpful
2
Replies

Cisco ISE - Out Of Band (OOB) TrustSec PAC

MattMH
Level 1
Level 1

‎06-10-2024 06:36 AM

I am having issues getting my TrustSec policy working on one my switches. When I run the following command I see,

27-Switch#show cts environment-data
CTS Environment Data
====================
Current state = START (always in START)
Last status = Cleared

Then I started debugging (debug cts environment-data all) the switch and see this error..."PAC not found on the device"

I went to the device in ISE, compared it to the switches that are working and noticed the OOB cert has expired. No other switch (that I am aware of yet) has an expired cert. 

I went ahead a clicked the "Generate PAC' on the device in ISE. However, what I find odd is that after I generate the cert, my username is in the "Issued By" section

MattMH_0-1718026254029.png

Every other device, which none of them have expired certs, shows Issued By as "network device", which leads me to believe something automated is being used to regenerate these certs. 

Regenerating the PAC did not resolve the issue, so with all that said, could have just sent you down the wrong rabbit hole and this OOB is all unrelated. 1 of my 100+ switches does not work, which started last week. 

 

2 Replies 2

Arne Bier
VIP
VIP

‎06-10-2024 01:19 PM

Did you use DNAC (integrated with ISE at that time) to onboard the switches in a greenfield scenario? In that case DNAC does all this for you and I have never understood how this works.

I have tried reading various Cisco articles on PAC but I just don't get it into my head. I wish someone with a knack for explaining this could write up a simple article about why anyone needs PAC and how it works, and best of all, how to fix it when it breaks.

If you're not using SDA, DNAC provisioning still pushes PAC/CTS stuff to the switches - AFAIK, when not using SDA you don't need PAC in the device's RADIUS shared secret config. Not sure why DNAC insists on pushing this out, and I have not found an option in DNAC to disable this. 

0 Helpful

MattMH
Level 1
Level 1
In response to Arne Bier

‎06-11-2024 05:17 AM

@Arne Bier  ... thanks for the response. The docs are hard to find with regards to this. However, I was able to get my issue resolved by doing this. 1) I was able to regenerate the PAC by issuing cts refresh pac from the switch. I don't know why this switch required manual intervention. DNAC is involved, so I will have to look into that. Once I issue that command, the device in ISE was showing the PAC issued by "Network Device". 2) We had another issue with this switches AAA setup being misconfigured as well. After these changes were made, our TrustSec/SXP mappings were present on this switch when viewing the out from the show cts environment-data command.

0 Helpful
Customers Also Viewed These Support Documents