Solved: Re: Renewing Trustsec PAC on ISE - Page 2

RahmaSallm · ‎05-17-2022

Anyone know how to renew an expired trustsec PAC on ISE? I'm asking this because we can't SSH into our switches any more. W keep getting "expired PAC" when trying to log in. When we check ISE, we see that the PAC expired for quite a while ago. Check the attached images.

I can't find a document on how to renew it. Only configuration

JamesW_au · ‎06-13-2023

I raised a case about this in 2021 and despite "fixing" it at the time still have it happen across most of our fleet. In case this is easier for some people than visiting the switch with a console cable, if you have HTTPS to the switch configured with a local user you can use that to run the required CLI (Administration -> CLI -> "cts refresh pac" / "show cts pacs".

Thomas Obbekaer Thomsen · ‎08-04-2023

But what was the root cause ? Why does the device not renew the PAC automatically ?

Is there a BugID for this ?

Thanks
Thomas

woocash_m · ‎12-11-2023

Hi,

So we got to the bottom of this with TAC.

The issue is due to authentication events for WLC user in ISE not logged in the prrt-server.log.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi41440

woocash_m · ‎08-30-2023

There is a second topic for the same issue

https://community.cisco.com/t5/network-access-control/unable-to-log-into-wlc/td-p/4668655

This seems to renew correctly on the 1st automated attempt and fails on the second.