cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

607
Views
0
Helpful
2
Replies
Highlighted

Trustsec and cts critical-authentication on wired dot1x

Hi,

I'm deploying wired dot1x with trustsec and I was wondering what would have happened if ISE wasn't available.

I did some research and I found out that the solution was critical authentication but the guide is not completely clear.

Here is the exemple.

Device> enable
Device# configure terminal
Device(config)# radius-server dead-criteria time 15 tries 3
Device(config)# radius-server deadtime 10
Device(config)# radius server RASERV-1
Device(config-radius-server)# address ipv4 172.20.254.4 auth-port 1812 acct-port 1813
Device(config-radius-server)# automate-tester username dummy
Device(config-radius-server)# pac key 7 mypackey
Device(config-radius-server)# exit
Device(config)# radius server RASERV-2
Device(config-radius-server)# address ipv4 172.20.254.8 auth-port 1645 acct-port 1646
Device(config-radius-server)# automate-tester username dummy
Device(config-radius-server)# pac key 7 mypackey
Device(config-radius-server)# exit
Device(config)# cts dot1x-server-timeout 30
Device(config)# cts dot1x-supp-timeout 30
Device(config)# cts server test all idle-time 3
Device(config)# cts critical-authentication default peer-sgt 5
Device(config)# cts critical-authentication
Device(config)# cts critical-authentication default pmk password123
Device(config)# cts cache nv-storage bootdisk:cache
Device(config)# cts critical-authentication fallback cached
Device(config)# exit

Here's my questions:

1) why would we need a pmk password if Ise is down?

2) we set a default sgt but what's the meaning and how we used it and where

3) why we need a test user to check the availabilty of ise if we have default timers?

 

Thanks 

 

Michele

 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Trustsec and cts critical-authentication on wired dot1x

Most of the info is at Critical Authentication Overview

Some more recent recommendation is not to use automate-tester with CTS.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: Trustsec and cts critical-authentication on wired dot1x

Most of the info is at Critical Authentication Overview

Some more recent recommendation is not to use automate-tester with CTS.

View solution in original post

Highlighted

Re: Trustsec and cts critical-authentication on wired dot1x

thanks for the reply but i wrote this thread after reading your documentation and it's not clear.

also why should I need automate tester?