02-03-2023 06:35 PM
For some reason I cannot get my switch to authenticate with ISE for CTS. The live logs show Event 5405 RADIUS Request dropped Failure Reason 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute .
As far as ISE config everything looks good in the "Advanced Trustsec Settings" section. Here is my switch config.
This is on a 3750E running version 15.0(2)SE11
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization network cts-list group ise-group
aaa authorization network TRUSTSEC group ise-group
aaa accounting system default start-stop group ise-group
aaa accounting dot1x default start-stop group radius
radius server ISE
address ipv4 [IP ADDRESS] auth-port 1812 acct-port 1813
automate-tester username radius-test
pac key Passw0rd
aaa group server radius ise-group
server name ISE
aaa authorization network cts-list group ise-group
cts authorization list TRUSTSEC
cts role-based enforcement
cts role-based enforcement vlan-list 1-4094
02-04-2023 07:10 AM
hello @jaismith , did you see any inputs if you issue the commands "show cts provisioning" and "show cts credentials" ? , please confirm that you have the credentials matching with what you have configured in the trustsec configuration within the NAD section on ISE , lastly I would also confirm that the radius you have is working fine first by removing the cts configuration and testing only radius with ISE to then reenter the cts commands .
Let me know if that helped you.
02-04-2023 08:44 PM - edited 02-05-2023 01:22 PM
For 3750-E, the last date of support is January 31, 2018 as shown in End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 3750G, 3560G, 3750-E, and 3560-E Series Switches
And, Table 3 End of Sale Group Based Policy Platform Support Matrix in Cisco Group Based Policy Platform and Capability Matrix Release 6.5 shows Catalyst 3750-E series support SGT classification and SXP only but not SGT enforcement.
02-07-2023 03:56 PM
The switch is a 3750-X switch with 3750E software. I just upgraded to 15.2(4)E10. I guess that compatibility matrix is confusing me because I have a 3750-X so I assumed it should work with the upgraded software. Am I wrong? Thanks
SW-1#show inv
NAME: "1", DESCR: "WS-C3750X-48P"
PID: WS-C3750X-48PF-S
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 31-Mar-20 13:22 by prod_rel_team
02-05-2023 01:39 PM
I recall an issue with the 'cts-pac-opaque' when using older switches. The way to resolve that issue was to create two separate 'radius server' entries for the same PSN using different ports for authentication/accounting. You would then use one entry for non-pac config and the other entry for the pac-based config and CTS list.
Example:
radius server ise30-sa
address ipv4 192.168.120.180 auth-port 1812 acct-port 1813
key xxxxx
radius server ise30-sa-PAC
address ipv4 192.168.120.180 auth-port 1645 acct-port 1646
pac key xxxxx
!
aaa group server radius ISE_Auth
server name ise30-sa
aaa group server radius ISE_Auth+PAC
server name ise30-sa-PAC
aaa authentication dot1x default group ISE_Auth
aaa authorization network default group ISE_Auth
aaa authorization network CTS-LIST group ISE_Auth+PAC
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE_Auth
!
cts authorization list CTS-LIST
02-05-2023 05:02 PM
@Greg Gibbs : IIRC the workaround is for C3750X or C3560X on 15.0(2)SE train. C3750X and C3560X do support CTS enforcement.
02-08-2023 06:24 PM
The switch is a 3750-X switch with 3750E software. I just upgraded to 15.2(4)E10. I guess that compatibility matrix is confusing me because I have a 3750-X so I assumed it should work with the upgraded software. Am I wrong? Thanks
SW-1#show inv
NAME: "1", DESCR: "WS-C3750X-48P"
PID: WS-C3750X-48PF-S
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 31-Mar-20 13:22 by prod_rel_team
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide