cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3424
Views
0
Helpful
8
Replies

Not getting CTS PAC on Cat9300

AntonioMacia
Level 1
Level 1

Hi,

 

I've configured a Cat9300 running Gibraltar 16.12.3 to retrieve its CTS PAC but it is not working. This is my current config:

 

9300-access#sh run | sec radius
aaa group server radius ise-pac
server name ise-pac


aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization network cts-list group ise-pac
aaa accounting update newinfo periodic 30
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client 10.254.11.30 server-key xxxxx
username radius-test password 0 xxxxx
ip radius source-interface TenGigabitEthernet1/0/48
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server deadtime 15


radius server ise-lab
address ipv4 10.254.11.30 auth-port 1812 acct-port 1813
automate-tester username radius-test probe-on


radius server ise-pac
address ipv4 10.254.11.30 auth-port 1645 acct-port 1646
pac key xxxxx



9300-access#sh run | i cts
aaa authorization network cts-list group ise-pac
cts authorization list cts-list


9300-access#show cts pac
No PACs found in the key store.


9300-access#show cts credentials
CTS password is defined in keystore, device-id = 9300-access

 

9300-access#show keystore
Using software keystore emulation.
Keystore contains the following records (S=Simple Secret, P=PAC, R=RSA):

Index Type Name
----- ---- ----
0 S CTS-password

 

In the ISE Radius live logs I get two types of authentication errors.

  • One for the username "CTS Client" that says; "5411 Supplicant stopped responding to ISE. Failure Reason 12508 EAP-TLS handshake failed".
  • Another with generic "USERNAME" that receives the AVPair "AAA:service-type=cts-pac-provisioning" and also the "12508 EAP-TLS handshake failed" failure.

 

Any idea?

Thx

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

show version

show License

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

 

There it goes. It is a PoC and the device is not registered yet, but dot1x for client authentication works fine. 

 

9300-access#show version
Cisco IOS XE Software, Version 16.12.03
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.3, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Mon 09-Mar-20 22:02 by mcpre


ROM: IOS-XE ROMMON
BOOTLDR: System Bootstrap, Version 16.12.2r, RELEASE SOFTWARE (P)

9300-access uptime is 3 weeks, 6 days, 1 hour, 26 minutes
Uptime for this control processor is 3 weeks, 6 days, 1 hour, 27 minutes
System returned to ROM by PowerOn
System restarted at 15:04:23 UTC Tue Mar 29 2022
System image file is "flash:packages.conf"
Last reload reason: PowerOn


Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
dna-advantage Subscription Smart License dna-advantage
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage


Smart Licensing Status: UNREGISTERED/EVAL EXPIRED

cisco C9300-48UXM (X86) processor with 1343703K/6147K bytes of memory.
Processor board ID xxxx
2 Virtual Ethernet interfaces
4 Gigabit Ethernet interfaces
36 2.5 Gigabit Ethernet interfaces
20 Ten Gigabit Ethernet interfaces
2 TwentyFive Gigabit Ethernet interfaces
2 Forty Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
1638400K bytes of Crash Files at crashinfo:.
11264000K bytes of Flash at flash:.
0K bytes of WebUI ODM Files at webui:.

Base Ethernet MAC Address : xxxx
Motherboard Assembly Number : xxxx
Motherboard Serial Number : xxxx
Model Revision Number : A0
Motherboard Revision Number : A0
Model Number : C9300-48UXM
System Serial Number : xxxx


Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 65 C9300-48UXM 16.12.3 CAT9K_IOSXE INSTALL


Configuration register is 0x102


9300-access# show license all
Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: NOT ALLOWED

License Authorization:
Status: EVAL EXPIRED on Mar 14 14:06:38 2022 UTC

Export Authorization Key:
Features Authorized:
<none>

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

License Usage
==============

(C9300-48 Network Advantage):
Description:
Count: 1
Version: 1.0
Status: EVAL EXPIRED
Export status: NOT RESTRICTED

(C9300-48 DNA Advantage):
Description:
Count: 1
Version: 1.0
Status: EVAL EXPIRED
Export status: NOT RESTRICTED

Product Information
===================
UDI: PID:C9300-48UXM,SN:xxxx

Agent Version
=============
Smart Agent for Licensing: 4.8.7_rel/52

Reservation Info
================
License reservation: DISABLED

show aaa servers ?

RADIUS: id 1, priority 1, host 10.254.11.30, auth-port 1812, acct-port 1813, hostname ise-lab
State: current UP, duration 257723s, previous duration 950480s
Dead: total time 950480s, count 0
Platform State from SMD: current DEAD, duration 2988s, previous duration 0s
SMD Platform Dead: total time 1208206s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
Authen: request 8489, timeouts 8256, failover 0, retransmission 6192
Response: accept 3, reject 60, challenge 170
Response: unexpected 0, server error 0, incorrect 104, time 6590ms
Transaction: success 233, failure 2064
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 52
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Account: request 4137, timeouts 4128, failover 0, retransmission 3096
Request: start 3, interim 0, stop 3
Response: start 3, interim 0, stop 3
Response: unexpected 0, server error 0, incorrect 0, time 164ms
Transaction: success 9, failure 1032
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 1w6d23h36m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 3094
SMD Platform : max 1031, current 0 total 1031
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 2063, current 0 total 2063
Consecutive Timeouts: total 12382
SMD Platform : max 4127, current 0 total 4127
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 8255, current 0 total 8255
Requests per minute past 24 hours:
high - 23 hours, 36 minutes ago: 0
low - 23 hours, 36 minutes ago: 0
average: 0

RADIUS: id 2, priority 2, host 10.254.11.30, auth-port 1645, acct-port 1646, hostname ise-pac
State: current UP, duration 3080s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 3080s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 51m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Requests per minute past 24 hours:
high - 0 hours, 51 minutes ago: 0
low - 0 hours, 51 minutes ago: 0

It seems to me that switch is not communicating very well with ISE:

 

 

Authen: request 8489, timeouts 8256, failover 0, retransmission 6192
Response: accept 3, reject 60, challenge 170
Response: unexpected 0, server error 0, incorrect 104, time 6590ms
Transaction: success 233, failure 2064
Bad authenticators: 52
Account: request 4137, timeouts 4128, failover 0, retransmission 3096
Request: start 3, interim 0, stop 3
Response: start 3, interim 0, stop 3
Response: unexpected 0, server error 0, incorrect 0, time 164ms
Transaction: success 9, failure 1032

Mike.Cifelli
VIP Alumni
VIP Alumni

Can you share a screenshot of a radius detailed live log so we can see the detailed steps?  Also, try #debug cts from NAD and share relevant logs.

Hi,

 

Switched to a 3750X to rule out issues with the Cat9300 but the problem persists. I've attached the log from ISE. 

Based on the message it is like the credentials set in both ends (swtich and ISE) don't match but I'm sure they do since I created several times.

These is the output from the debug:

 

*Jan 2 03:28:29.226: Request for pac provisioning is already in progress.Calling pac provisioning stop
*Jan 2 03:28:29.226: CTS-provisioning: Received cancellation request for job 0x1BA70016.
*Jan 2 03:28:29.226: CTS-provisioning: Cancelling request for token(1BA70016)
*Jan 2 03:28:29.226: CTS-provisioning: cts_provi_server_cleanup: 10.254.11.30
*Jan 2 03:28:29.234: CTS-provisioning: Starting new control block for server 10.254.11.30:
*Jan 2 03:28:29.234: CTS-provisioning: cts_provi_init_socket: Checking for any vrf associated with 10.254.11.30
*Jan 2 03:28:29.234: CTS-provisioning:
cts_provi_init_socket Server Group Handle: EA000003, VRF Tableid: 0
*Jan 2 03:28:29.234: CTS-provisioning: socket->laddress.ip_addr = 0.0.0.0, last resort - use the best local ip.

*Jan 2 03:28:29.234: CTS-provisioning: cts_provi_init_socket: Last source table_id = 0
*Jan 2 03:28:29.234: CTS-provisioning: New session socket: src=192.168.48.67:57612 dst=10.254.11.30:1812
*Jan 2 03:28:29.234: CTS-provisioning: cts_provi_init_socket: Checking for any vrf associated with 10.254.11.30
*Jan 2 03:28:29.234: CTS-provisioning:
cts_provi_init_socket Server Group Handle: EA000003, VRF Tableid: 0
*Jan 2 03:28:29.234: CTS-provisioning: socket->laddress.ip_addr = 0.0.0.0, last resort - use the best local ip.

*Jan 2 03:28:29.234: CTS-provisioning: cts_provi_init_socket: Last source table_id = 0
*Jan 2 03:28:29.234: CTS-provisioning: New session socket: src=192.168.48.67:57612 dst=10.254.11.30:1812
*Jan 2 03:28:29.234: CTS-provisioning: Sending EAP Response/Identity to 10.254.11.30
*Jan 2 03:28:29.234: CTS-provisioning: OUTGOING RADIUS msg to 10.254.11.30:
0EC68A80: 01010090 6ED72CD1 C274785E
0EC68A90: 3C4F0A00 B4FA003A 010C4354 5320636C
0EC68AA0: 69656E74 0406C0A8 30433D06 00000000
0EC68AB0: 06060000 00021F0E 36633939 38393434
0EC68AC0: 62623030 1A2D0000 00090127 4141413A
0EC68AD0: 73657276 6963652D 74797065 3D637473
0EC68AE0: 2D706163 2D70726F 76697369 6F6E696E
0EC68AF0: 674F1102 00000F01 43545320 636C6965
0EC68B00: 6E745012 C0BFE49B 4E1B2D20 8BD019A5
0EC68B10: 137CC93A 2A
*Jan 2 03:28:29.242: CTS-provisioning: INCOMING RADIUS msg from 10.254.11.30:
0E9D1520: 0B0100A9 982430A1 7159B7A0 B30B3260
0E9D1530: E21BD454 18673634 43504D53 65737369
0E9D1540: 6F6E4944 3D306166 65306231 65514D4D
0E9D1550: 76436B37 6C306B76 3052796F 6F456F6E
0E9D1560: 476C6376 664C5669 4C516D57 49626163
0E9D1570: 46702F52 4E783749 3B333153 65737369
0E9D1580: 6F6E4944 3D697365 6C61622F 34333838
0E9D1590: 30343032 342F3437 30323B4F 1C010200
0E9D15A0: 1A2B2100 0400105D 47B00449 B2621744
0E9D15B0: 0496D91E 0A20EE50 126162F4 F0E51018
0E9D15C0: 1CCF3C2C 1F075B6A 04FE
*Jan 2 03:28:29.242: CTS-provisioning: Received RADIUS challenge from 10.254.11.30.
*Jan 2 03:28:29.242: CTS-provisioning: A-ID for server 10.254.11.30 is "5d47b00449b26217440496d91e0a20ee"
*Jan 2 03:28:29.242: CTS-provisioning: Received TX_PKT from EAP method
*Jan 2 03:28:29.242: CTS-provisioning: Sending EAPFAST response to 10.254.11.30
*Jan 2 03:28:29.242: CTS-provisioning: OUTGOING RADIUS msg to 10.254.11.30:
0E010D70: 01020124
0E010D80: D67899A3 A8F52CAA 21388E05 65485585
0E010D90: 010C4354 5320636C 69656E74 0406C0A8
0E010DA0: 30433D06 00000000 06060000 00021F0E
0E010DB0: 36633939 38393434 62623030 18673634
0E010DC0: 43504D53 65737369 6F6E4944 3D306166
0E010DD0: 65306231 65514D4D 76436B37 6C306B76
0E010DE0: 3052796F 6F456F6E 476C6376 664C5669
0E010DF0: 4C516D57 49626163 46702F52 4E783749
0E010E00: 3B333153 65737369 6F6E4944 3D697365
0E010E10: 6C61622F 34333838 30343032 342F3437
0E010E20: 30323B1A 2D000000 09012741 41413A73
0E010E30: 65727669 63652D74 7970653D 6374732D
0E010E40: 7061632D 70726F76 6973696F 6E696E67
0E010E50: 4F3E0202 003C2B01 16030100 31010000
0E010E60: 2D030169 7574AAAB 5840DB1B 508FC595
0E010E70: 42A847AC 12034EDB 48ED4909 E7C91963
0E010E80: 562FD600 00040034 00330100 00005012
0E010E90: 8914643F F08E56A3 15075C95 32675A74
0E010EA0: A9
*Jan 2 03:28:29.251: CTS-provisioning: INCOMING RADIUS msg from 10.254.11.30:
0E9D1DE0: 0B02009C BCED01CC 17BFA6CA 1CB2D757
0E9D1DF0: A03209A5 18673634 43504D53 65737369
0E9D1E00: 6F6E4944 3D306166 65306231 65514D4D
0E9D1E10: 76436B37 6C306B76 3052796F 6F456F6E
0E9D1E20: 476C6376 664C5669 4C516D57 49626163
0E9D1E30: 46702F52 4E783749 3B333153 65737369
0E9D1E40: 6F6E4944 3D697365 6C61622F 34333838
0E9D1E50: 30343032 342F3437 30323B4F 0F010300
0E9D1E60: 0D2B0115 03010002 02465012 21A42D81
0E9D1E70: B89704C2 A667C9AE 90F9E272 94
*Jan 2 03:28:29.259: CTS-provisioning: Received RADIUS challenge from 10.254.11.30.
*Jan 2 03:28:29.268: CTS-provisioning: Received TX_PKT from EAP method
*Jan 2 03:28:29.268: CTS-provisioning: Sending EAPFAST response to 10.254.11.30
*Jan 2 03:28:29.268: CTS-provisioning: OUTGOING RADIUS msg to 10.254.11.30:
0E010D70: 010300EE
0E010D80: B37DEC2B AFF034FB 78A3C5EE 1523BFBA
0E010D90: 010C4354 5320636C 69656E74 0406C0A8
0E010DA0: 30433D06 00000000 06060000 00021F0E
0E010DB0: 36633939 38393434 62623030 18673634
0E010DC0: 43504D53 65737369 6F6E4944 3D306166
0E010DD0: 65306231 65514D4D 76436B37 6C306B76
0E010DE0: 3052796F 6F456F6E 476C6376 664C5669
0E010DF0: 4C516D57 49626163 46702F52 4E783749
0E010E00: 3B333153 65737369 6F6E4944 3D697365
0E010E10: 6C61622F 34333838 30343032 342F3437
0E010E20: 30323B1A 2D000000 09012741 41413A73
0E010E30: 65727669 63652D74 7970653D 6374732D
0E010E40: 7061632D 70726F76 6973696F 6E696E67
0E010E50: 4F080203 00062B01 5012D30D E38D99D7
0E010E60: AE4A8966 4DD2E161 93B9DB
*Jan 2 03:28:29.276: CTS-provisioning: INCOMING RADIUS msg from 10.254.11.30:
0E9D26A0: 0303002C A21C8685 BC0871AA DDF0159A
0E9D26B0: 5D30D393 4F060403 00045012 6972DF55
0E9D26C0: 476D765C 9DE54A7D 740C4F5D 57
*Jan 2 03:28:29.276: CTS-provisioning: Received RADIUS reject from 10.254.11.30.
*Jan 2 03:28:29.276: CTS-provisioning: Moving server 10.254.11.30 to A-ID 5d47b00449b26217440496d91e0a20ee group

 

Regards.

 

 

 

Mike.Cifelli
VIP Alumni
VIP Alumni

Based on the message it is like the credentials set in both ends (swtich and ISE) don't match but I'm sure they do since I created several times.

-Can you verify that the NAD in question has the proper trustsec configuration defined in its attributes? Administration->Network Resources->Network Devices; Select device, scroll to bottom and make sure 'Advanced TrustSec Settings' are accurate.  May be worth a shot to reconfigure and test again to be sure they are accurate.  Also, make sure radius is sourced with proper NAD mgmt interface that is used in ISE.  I have seen that be an issue before.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: