Solved: Re: Renewing Trustsec PAC on ISE

RahmaSallm · ‎05-17-2022

Anyone know how to renew an expired trustsec PAC on ISE? I'm asking this because we can't SSH into our switches any more. W keep getting "expired PAC" when trying to log in. When we check ISE, we see that the PAC expired for quite a while ago. Check the attached images.

I can't find a document on how to renew it. Only configuration

Greg Gibbs · ‎05-17-2022

This was discussed in another forum and the response was:

"That won't stop you from being able to SSH to the box. The PAC is a shared credential for EAP-FAST used for TrustSec only. Switches download the PAC inline from ISE, not OOB (the FWs are the only devices that need to use the OOB method)."

The issues with SSH and the expired PAC are separate and unrelated. If telnet is not enabled on the switch, you will likely need to console into it to fix both issues.

View solution in original post

balaji.bandi · ‎05-17-2022

what ISE version ? if ISE 3.0 follow below guide :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_segmentation.html#ID830

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

RahmaSallm · ‎05-17-2022

It's 2.7.0.356 patch 2

Greg Gibbs · ‎05-17-2022

This was discussed in another forum and the response was:

"That won't stop you from being able to SSH to the box. The PAC is a shared credential for EAP-FAST used for TrustSec only. Switches download the PAC inline from ISE, not OOB (the FWs are the only devices that need to use the OOB method)."

The issues with SSH and the expired PAC are separate and unrelated. If telnet is not enabled on the switch, you will likely need to console into it to fix both issues.

Amit Singh · ‎07-21-2022

@Greg Gibbs, I do not think it is entirely correct. I keep getting PAC expired on SSH session and it does not let me log in.

Hannes_Weber · ‎09-28-2022

Hi
I got the same issue.
The PAC doesn't renew and since we use radius for login, we can't login anymore. (Cat9300 Switches with 17.03.04 and ISE 2.7.0.356 patch 6)

renemerki1 · ‎08-28-2023

Hi Greg, I've the same issue but with cisco WLC 9800. With Trustsec enabled. And I've no change to login from GUI/CLI/Console after PAC is expired. The only thing that helps is reload the WLC.. Then it is fine for 3 Mt. Do you have any idea what could help solving this issue ?

regards

René

woocash_m · ‎08-30-2023

You do not have to reload WLC. You can put an ACL on data uplink ports to block WLC communication with ISE.
If you have a local user set it will allow you to log in.
than remove ACL from the interface and run the following on wlc:

clear cts environment-data
cts refresh pac

On a switch that WLC is connected to:
!
ip access-list extended BLOCK-ISE
!
deny udp any host IP_of_ISE_PSN eq 1812
deny udp any host IP_of_ISE_PSN eq 1812
deny udp any host IP_of_ISE_PSN eq 1813
deny udp any host IP_of_ISE_PSN eq 1813
permit ip any any
!
interface xxx
xxx- Port Channel or what you have as_uplink_ from WLC to switch

ip access-group BLOCK-ISE in

renemerki1 · ‎08-30-2023

Many thanks, I'll try this when i happens next time. "But hope" we will fix this problem prior.. it should be renewed automatically before it expires.

It works with all Switches only the WLC98X is causing this issue.

woocash_m · ‎08-30-2023

Exactly the same here all switches are fine just a pair of WLC experiencing this issue. I have a TAC open for this and will let you know if we get to the bottom of this.

renemerki1 · ‎08-31-2023

Ah cool. I've also a TAC case open. I'll also informe if I've any news.

uilian.silva · ‎12-27-2022

Any update on here ? i have same issue.

craighowson · ‎02-01-2023

Same for me, I was told by a Cisco engineer that the PAC should auto renew, but this does not appear to be the case.

When the PAC expires, it shows in DNAC as "NCIM12007 CLI Authentication Failure" and when trying to SSH to the switch it gives an "access denied" and does not accept the password.

To resolve this, I have to physically visit the switch (not easy in a lot of cases for me) and console into the switch to run #cts refresh pac which gives 12 weeks until the next expiration. After which I can SSH to the switch fine.

Does anyone know how to get the pac to auto renew?

craighowson · ‎02-01-2023

Another update....... I have 2 switches and both expired pac's. One I could SSH to fine, the other I could not SSH onto at all.

After console onto the broken switch and issuing a #cts refresh pac command, SSH works absolutely fine. The other switch, I could SSH onto still and refreshed using the same command.

I have looked through the running configs of both switches and cannot see any differences.

Im at a loss now. Thinking of disabling AAA which I dont really want to have to do.

andy!doesnt!like!uucp · ‎02-08-2023

i'm thinking about workaround by configuring kron . it wont survive reboot but u can configure it again upon switch is up&running.