Hi:
I am attempting to follow the Cisco TrustSec Deployment guide (http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf).
So far things have been going well. I am at the point of adding in my Seed device. After completing the setup on ISE and then the switch itself (a Cisco Catalyst 3650) I am note that the environment data doesn't appear to have been download. However the PAC file is successfully generated.
fos01-l3-01#show cts pacs
AID: 43157A4E6832894FE4952D0A1F6167BB
PAC-Info:
PAC-type = Cisco Trustsec
AID: 43157A4E6832894FE4952D0A1F6167BB
I-ID: fos01-l3-01
A-ID-Info: fos01-ise-01v
Credential Lifetime: 11:00:43 PST Jan 22 2015
PAC-Opaque: 000200B8000300010004001043157A4E6832894FE4952D0A1F6167BB0006009C00030100B3696FBA1F7ABE1DAB104CCB18E875850000001354483C8400093A80B5EF16086495444FD0BDB5A88AE9AA775DE1A1AC483A2770B0C5A22D00B2386EFA6BE4847D7CBF2A6FD3C4D623DCD624AB1916A9E3960E082A8897B45D894E9CFDAA6FA8BFF5CBB1E30D17CF985B2913BF6FB105EAE5103DA2E017FB35EA06887D45F99C7D27FC987AE25EF0358CF08CFB4F7D000AC3A42E87640BA1
Refresh timer is set for 12w5d
fos01-l3-01#show cts environment-data
CTS Environment Data
====================
Current state = START
Last status = Failed
Environment data is empty
State Machine is running
Retry_timer (60 secs) is running
As you can see it says Last status = Failed.
Enabling debug logging for cts outputs the following
Oct 24 17:35:12.455: CTS env-data: Time to retry env data download
Oct 24 17:35:12.455: cts_env_data START: during state env_data_start, got event 0(env_data_request)
Oct 24 17:35:12.455: @@@ cts_env_data START: env_data_start -> env_data_waiting_rsp
Oct 24 17:35:12.455: env_data_waiting_rsp_enter: state = WAITING_RESPONSE
Oct 24 17:35:12.455: cts_aaa_is_fragmented: (CTS env-data SM)NOT-FRAG attr_q(0)
Oct 24 17:35:12.455: env_data_request_action: state = WAITING_RESPONSE
Oct 24 17:35:12.455: cts_env_data_is_complete: FALSE, req(x0), rec(x0)
Oct 24 17:35:12.455: cts_env_data_is_complete: FALSE, req(x0), rec(x0), expect(x81), complete1(x85), complete2(xB5), complete3(x1485)
Oct 24 17:35:12.456: env_data_request_action: state = WAITING_RESPONSE, received = 0x0 request = 0x0
Oct 24 17:35:12.456: cts_env_data_aaa_req_setup : aaa_id = 4240
Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)Private group appears DEAD, attempt public group
Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)No public method list found
Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)Failed to get AAA method list handle.
Oct 24 17:35:12.456: cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 7(env_data_failed)
Oct 24 17:35:12.456: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_start
Oct 24 17:35:12.456: env_data_start_enter: state = START
Oct 24 17:35:12.456: env_data_error_action: state = START
Oct 24 17:35:12.456: env_data_error_action: state = START, received = 0x0 request = 0x0
Within ISE itself it shows a successful authentication and PAC generation. However the log messages there are as follows. Not sure if it is significant that it says Access-Reject status at the end.
| | 11001 | Received RADIUS Access-Request |
| | 11017 | RADIUS created a new session |
| | 15012 | Selected Access Service |
| | 11507 | Extracted EAP-Response/Identity |
| | 12100 | Prepared EAP-Request proposing EAP-FAST with challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12102 | Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated |
| | 12800 | Extracted first TLS record; TLS handshake started |
| | 12805 | Extracted TLS ClientHello message |
| | 12806 | Prepared TLS ServerHello message |
| | 12808 | Prepared TLS ServerKeyExchange message |
| | 12810 | Prepared TLS ServerDone message |
| | 12105 | Prepared EAP-Request with another EAP-FAST challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response |
| | 12812 | Extracted TLS ClientKeyExchange message |
| | 12804 | Extracted TLS Finished message |
| | 12801 | Prepared TLS ChangeCipherSpec message |
| | 12802 | Prepared TLS Finished message |
| | 12816 | TLS handshake succeeded |
| | 12131 | EAP-FAST built anonymous tunnel for purpose of PAC provisioning |
| | 12105 | Prepared EAP-Request with another EAP-FAST challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response |
| | 12125 | EAP-FAST inner method started |
| | 11521 | Prepared EAP-Request/Identity for inner EAP method |
| | 12105 | Prepared EAP-Request with another EAP-FAST challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response |
| | 11522 | Extracted EAP-Response/Identity for inner EAP method |
| | 11806 | Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge |
| | 12105 | Prepared EAP-Request with another EAP-FAST challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response |
| | 11808 | Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated |
| | 15041 | Evaluating Identity Policy |
| | 15013 | Selected Identity Source - Internal CTS Devices |
| | 24213 | Found SGA Device in Network Devices and AAA Clients |
| | 22037 | Authentication Passed |
| | 11824 | EAP-MSCHAP authentication attempt passed |
| | 12105 | Prepared EAP-Request with another EAP-FAST challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response |
| | 11810 | Extracted EAP-Response for inner method containing MSCHAP challenge-response |
| | 11814 | Inner EAP-MSCHAP authentication succeeded |
| | 11519 | Prepared EAP-Success for inner EAP method |
| | 12128 | EAP-FAST inner method finished successfully |
| | 12105 | Prepared EAP-Request with another EAP-FAST challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response |
| | 12126 | EAP-FAST cryptobinding verification passed |
| | 12200 | Approved EAP-FAST client Tunnel PAC request |
| | 15016 | Selected Authorization Profile - |
| | 12173 | Successfully finished EAP-FAST CTS PAC provisioning/update |
| | 12105 | Prepared EAP-Request with another EAP-FAST challenge |
| | 11006 | Returned RADIUS Access-Challenge |
| | 11001 | Received RADIUS Access-Request |
| | 11018 | RADIUS is re-using an existing session |
| | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response |
| | 11401 | Prepared RADIUS Access-Reject after the successful in-band PAC provisioning |
| | 11504 | Prepared EAP-Failure |
| | 11003 | Returned RADIUS Access-Reject |
Any insight would be appreciated.
Thanks
