cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3394
Views
5
Helpful
7
Replies
Highlighted
Beginner

ISE Trustsec with 6500

I've ISE v1.1.2.145 and Cat 6500 IOS ADVENTERPRISEK9-M, Version 15.0(1)SY2

I'm trying to add 6500 in the trustsec group with ISE and followed the trustsec 2.1 documentation. After configuring it keeps on giving me error in the ISE logs below with the subject #CTSREQUEST#

11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute

Below are the steps:

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

15012  Selected Access Service - NDAC_SGT_Service

11302  Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute

Also after i configure cts credentials and radius-server pac command in 6500, it starts giving me log messages that radius is down and the next moment it comes up again. It is continously doing that.

Thanks in advance for the help.

Regards,

Zohaib

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

had a similar issue the one you having.

 

just make sure you have right config. which i assume you do.

 

 

aaa new-model

aaa authentication dot1x default group ISE

aaa authorization default group ISE

aaa authorization ISE group ISE

aaa accounting dot1x default start-stop group ISE

aaa group radius server ISE

 radius server CISCO

aaa server radius dynamic author

 client X.X.X.X. serverkey cisco

radius server CISCO

 addres ipv4 x.x.x.x auth-port 1812 acct-port 1813

 pac key cisco

!

radius-server attribute 6 on

radius-server attribute 8

radius-server attribute 25

radius-server vsa sent auth

radius-server vsa sent account

!

dot1x system-auth

!

cts authorization list ISE

!

cts credentials id <device id> password <password>

!

give it 5 to 10 min. it will download it.

 

 

 

also make sure to use the port 1812 1813.

please do not forget to rate.

View solution in original post

7 REPLIES 7
Highlighted
Beginner

Highlighted

I've already opened a TAC case and the engineer said every thing is configured fine. Will send some debugs to them. I'll update here once the case is solved.

Thanks for your help.

Regards,

Zohaib

Highlighted
Beginner

Hi Zohaib

I've been facing the same error-messages and you, and found a pritty good "Step by Step guide" which helped me out:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/116498-configure-cts-00.html

Best Regards

Jarle

Highlighted
Beginner

Hi Zohaib,

could you solve this issue? I have the same problem to authenticate 3850 core switches in ISE.

Highlighted

Sam,

Are you receiving a cts pac on any switches or are you setting up a new trustsec environment, making this is the first one and it doesn't work? There are a few reasons this log can appear. Some basic things to check when you are having issues with trustsec switches.

The Simple scenarios
1. Missing cts credential ID and password. The credentials don't show up in running config, run "sh cts credentials" will display what was configured. You will not see the password configured, only the ID.
2. Cts device credentials do not match. Similar to scenario 1, the same CTS ID and password has to be configured in for the NAD in ISE and on the NAD itself.
3. Radius pac keys are misconfigured either on the switch or in ISE
4. Dynamic author keys are misconfigured.

More complex scenarios
5. The cts request on a 3850 does not include a calling station id in the radius packets. If you are using load balancers then the CTS provisioning process breaks until magic happens and all the packets hit the same PSN. Need to tweak the load balancing algorithm if only using calling station ID.
6. MTU issues. Either via some ugly bugs in early code, or a simple misconfiguration like missing cts manual on one side of a link. You can end up dropping packets before 1500 bytes. An easy test it to source a ping from the management interface at the configured MTU size.
Highlighted

Please check the whether the credentials configured at the NAD is matching the credentials configured in ISE for the respective NAD.

You can refer this link to check the credentials at ISE end.

Use this command to configure cts credentials at NAD

cts credentials id <device id> password <password>

After that check whether pac is generated at the NAD using show cts pacs

 

-Aravind

-Aravind
Highlighted

had a similar issue the one you having.

 

just make sure you have right config. which i assume you do.

 

 

aaa new-model

aaa authentication dot1x default group ISE

aaa authorization default group ISE

aaa authorization ISE group ISE

aaa accounting dot1x default start-stop group ISE

aaa group radius server ISE

 radius server CISCO

aaa server radius dynamic author

 client X.X.X.X. serverkey cisco

radius server CISCO

 addres ipv4 x.x.x.x auth-port 1812 acct-port 1813

 pac key cisco

!

radius-server attribute 6 on

radius-server attribute 8

radius-server attribute 25

radius-server vsa sent auth

radius-server vsa sent account

!

dot1x system-auth

!

cts authorization list ISE

!

cts credentials id <device id> password <password>

!

give it 5 to 10 min. it will download it.

 

 

 

also make sure to use the port 1812 1813.

please do not forget to rate.

View solution in original post

Content for Community-Ad