Hi all!

We're using Cisco Trustsec in our Branch Office and currently investigating an interesting issue - it looks like Radius Suppression does not work for endpoints connected to NADs onboarded for CTS.

As a result we see all of the failed attempts (MAB, for example) for every endpoint where as having radius suppression turned on:

For all of them we see expected reject:

Our Radius Suppression Settings:

I've collected some debugs and it looks like CTS has some impact here:

2023-10-30 22:17:24,466 DEBUG [Thread-250][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e1a3700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression isRejectEndpoint: EndpointID=6C:24:08:8A:E9:26,ClientSuppression.cpp:424
2023-10-30 22:17:24,466 DEBUG [Thread-250][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e1a3700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression endpoint is not in the misconfigured list,ClientSuppression.cpp:468
2023-10-30 22:17:24,523 DEBUG [Thread-211][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Radius,DEBUG,0x7f348e5a7700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,user=6C-24-08-8A-E9-26,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,FAILED ATTEMPT - AccessReject detected.,RadiusRequestFlow.cpp:758
2023-10-30 22:17:24,523 DEBUG [Thread-211][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- ClientSuppression,DEBUG,0x7f348e5a7700,cntx=0000106875,sesn=ise-1n2/488037056/2462,CPMSessionID=6704840A0001C45A35C19954,user=6C-24-08-8A-E9-26,CallingStationID=6C-24-08-8A-E9-26,FramedIPAddress=10.132.74.148,ClientSuppression OnFailure: prevent client suppression for CTS client endpoint,ClientSuppression.cpp:148

However, i did not find any input on such behavior in documentation. Any thoughts?