Solved: Re: Problem provisioning trustsec PAC from ISE 3.0

ibingbong · ‎10-30-2022

Hi community,

I am new to cisco ISE word and preparing for the 300-715 exam.

In my lab i have ISE version 3.0 evalution licence and using catalyst 9500 for testing.

I did all the base configurations to enable trustsec and anytime i try to provision the pac from ISE i get the following messages

CORE2(config-radius-server)#pac key xxxxxxxxxxxx
CORE2(config-radius-server)#
CORE2#
*Oct 30 10:46:19.784: Request for pac provisioning is already in progress.Calling pac provisioning stop
*Oct 30 10:46:19.784: Received PAC provisioning stop request for job 0xC.
*Oct 30 10:46:19.784: Received PAC provisioning request for 10.10.22.10:1812 with AAA-handle=0x96000006
*Oct 30 10:46:19.784: Request successfully sent to PAC Provisioning driver.

and then:

: CTS env-data: Time to retry env data download
*Oct 30 10:48:39.559: CTS-core-ha-ev:cts_core_ha_is_active :1
*Oct 30 10:48:39.559: cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 0(env_data_request)
*Oct 30 10:48:39.559: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_waiting_rsp
*Oct 30 10:48:39.559: CTS-core-ha-ev:cts_core_ha_is_active :1
*Oct 30 10:48:39.559: pac_provi_resp_q is not empty.Found the tail element with addr=x.x.x.x and
*Oct 30 10:48:39.559: PAC not found.Trigger a PAC provisioning job in BINOS for addr=x.x.x.x
*Oct 30 10:48:39.559: PAC NOT-found on box for server:x.x.x.x. Trigger PAC-provisioning first. Retry ENV download after sometime
*Oct 30 10:48:39.559: CTS-rcl-server-events:Sending pac provi trigger message to BINOS, msg_len:276
*Oct 30 10:48:39.559: CTS-rcl-server-events:Marshalling done, sending msg to BINOS

Also see attached capture from ISE live logs

Could you please advise?

Yann

jeaves@cisco.com · ‎10-31-2022

Also ensure you have TLS 1.0 enabled via the "Allow TLS 1.0" checkbox under Admin settings / Security Settings. PAC provisioning needs this and it is disabled now by default. Note: this causes an ISE app reload.

View solution in original post

ibingbong · ‎10-30-2022

Sorry I forgot to mention.

No pacs foud in the key store!!!

jeaves@cisco.com · ‎10-31-2022

Double check the config on the 9500 and on ISE.
On 9500 check you have:
aaa authentication login cts-list group xx local
aaa authentication dot1x default group xx
aaa authorization network default group xx
aaa authorization network cts-list group xx
!
cts authorization list cts-list

Ensure you have cts credentials configured on the 9500 to match up with ISE under Device/TrustSec settings

Looks like you have pac key configured under the radius server.
Carry out clear cts env and clear cts pac all, then 'cts refresh pac' and watch ISE live logs.

jeaves@cisco.com · ‎10-31-2022

Also ensure you have TLS 1.0 enabled via the "Allow TLS 1.0" checkbox under Admin settings / Security Settings. PAC provisioning needs this and it is disabled now by default. Note: this causes an ISE app reload.

ibingbong · ‎10-31-2022

Hi Jeaves,

Enabling TLS 1.0 solved the problem.I didn't come accross any document that says i have to do so.

Over the week end i built another lab using ISE version 2.4 and the provisioning was working just fine with that version.

I guess it was not a requirement at this time

Thank you very much

jeaves@cisco.com · ‎11-01-2022

Thanks for letting us know. I have updated my Troubleshooting guide here: https://community.cisco.com/t5/security-knowledge-base/trustsec-troubleshooting-guide/ta-p/3647576#toc-hId--522765788