cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1646
Views
0
Helpful
6
Replies

Cisco ISE Trustsec failing in lab 3750E

jaismith
Level 1
Level 1

For some reason I cannot get my switch to authenticate with ISE for CTS. The live logs show Event 5405 RADIUS Request dropped Failure Reason 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute .

As far as ISE config everything looks good in the "Advanced Trustsec Settings" section. Here is my switch config.

This is on a 3750E running version 15.0(2)SE11

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization network cts-list group ise-group

aaa authorization network TRUSTSEC group ise-group

aaa accounting system default start-stop group ise-group

aaa accounting dot1x default start-stop group radius

radius server ISE

address ipv4 [IP ADDRESS] auth-port 1812 acct-port 1813

automate-tester username radius-test

pac key Passw0rd

aaa group server radius ise-group

server name ISE

aaa authorization network cts-list group ise-group

cts authorization list TRUSTSEC

cts role-based enforcement

cts role-based enforcement vlan-list 1-4094

6 Replies 6

Rodrigo Diaz
Cisco Employee
Cisco Employee

hello @jaismith ,  did you see any inputs if you issue the commands "show cts provisioning" and "show cts credentials" ? , please confirm that you have the credentials matching with what you have configured in the trustsec configuration within the NAD section on ISE , lastly I would also confirm that the radius you have is working fine first by removing the cts configuration and testing only radius with ISE to then reenter the cts commands . 

Let me know if that helped you. 

hslai
Cisco Employee
Cisco Employee

For 3750-E, the last date of support is January 31, 2018 as shown in End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 3750G, 3560G, 3750-E, and 3560-E Series Switches 

And, Table 3 End of Sale Group Based Policy Platform Support Matrix in Cisco Group Based Policy Platform and Capability Matrix Release 6.5 shows Catalyst 3750-E series support SGT classification and SXP only but not SGT enforcement.

The switch is a 3750-X switch with 3750E software. I just upgraded to 15.2(4)E10. I guess that compatibility matrix is confusing me because I have a 3750-X so I assumed it should work with the upgraded software. Am I wrong? Thanks

SW-1#show inv
NAME: "1", DESCR: "WS-C3750X-48P"
PID: WS-C3750X-48PF-S

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 31-Mar-20 13:22 by prod_rel_team

Greg Gibbs
Cisco Employee
Cisco Employee

I recall an issue with the 'cts-pac-opaque' when using older switches. The way to resolve that issue was to create two separate 'radius server' entries for the same PSN using different ports for authentication/accounting. You would then use one entry for non-pac config and the other entry for the pac-based config and CTS list.

Example:

radius server ise30-sa
address ipv4 192.168.120.180 auth-port 1812 acct-port 1813
key xxxxx
radius server ise30-sa-PAC
address ipv4 192.168.120.180 auth-port 1645 acct-port 1646
pac key xxxxx
!
aaa group server radius ISE_Auth
server name ise30-sa
aaa group server radius ISE_Auth+PAC
server name ise30-sa-PAC
aaa authentication dot1x default group ISE_Auth
aaa authorization network default group ISE_Auth
aaa authorization network CTS-LIST group ISE_Auth+PAC
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE_Auth
!
cts authorization list CTS-LIST

 

@Greg Gibbs : IIRC the workaround is for C3750X or C3560X on 15.0(2)SE train. C3750X and C3560X do support CTS enforcement.

The switch is a 3750-X switch with 3750E software. I just upgraded to 15.2(4)E10. I guess that compatibility matrix is confusing me because I have a 3750-X so I assumed it should work with the upgraded software. Am I wrong? Thanks

SW-1#show inv
NAME: "1", DESCR: "WS-C3750X-48P"
PID: WS-C3750X-48PF-S

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 31-Mar-20 13:22 by prod_rel_team