Yes..It is configured already.

aaa authorization network TRUSTSEC group ISE_RADIUS

cts authorization list TRUSTSEC..

And I could also authenticate from switch to ISE through radius.So radius connectivity is fine.

@titusroz03 the message states WAITING_RESPONSE (from ISE). Is ISE configured correctly? Does ISE receive the request from the NAD? Is the RADIUS request from the correct IP that is configured in ISE for that NAD?

@Aref Alsouqi Yes.TLS1.0 and 1.1 both are enabled on ISE. And for the network device have configured the advanced trustsec configs - Device authentication settings & COA & credentials for config deployment.

Same device Id and password is configured in switch as cts credentials and password is configured as PAC key under radius  server and dynamic auth server.

PFB the below output for credentials

#show cts credentials
CTS password is defined in keystore, device-id = DOT1XTEST-SW01

Tried the environment refresh as well..Still no luck.

PFB debug output:

HK-DOT1XTEST-SW01#
*Apr 24 04:36:38.942: CTS env-data: Force environment-data refresh bitmask 0x2
*Apr 24 04:36:38.942: CTS env-data: download transport-type = CTS_TRANSPORT_IP_UDP
*Apr 24 04:36:38.942: cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 0(env_data_request)
*Apr 24 04:36:38.942: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_waiting_rsp
*Apr 24 04:36:38.942: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 24 04:36:38.942: PAC not found on the device, triggering PAC provisioning for configured servers. Env-data download wiil be retried after 60 seconds

Above debug logs get repeated in 60 secs

What logs do you see in ISE RADIUS Live Logs coming from the switch?

I am not seeing any logs from the switch

Please share the entire configs of the switch and ISE TrustSec configs for review.

Debug CTS:

*Apr 29 07:23:06.111: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: commsuk] [Source: 10.200.127.44] [localport: 22] at 07:23:06 UTC Mon Apr 29 2024
*Apr 29 07:24:35.649: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 7 password. However, recommended to migrate to strong type-6 encryption
*Apr 29 07:24:39.027: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 29 07:25:12.220: Request for pac provisioning is already in progress.Calling pac provisioning stop
*Apr 29 07:25:12.220: Request successfully sent to PAC Provisioning driver.
*Apr 29 07:25:39.028: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 29 07:26:17.609: %SYS-5-CONFIG_I: Configured from console by commsuk on vty0 (10.200.127.44)
*Apr 29 07:26:39.028: CTS-provisioning: PAC not found in keystore : aidlen = 0, rc = 6
*Apr 29 07:26:51.284: %SYS-5-CONFIG_I: Configured from console by commsuk on vty0 (10.200.127.44)

Config in switch

aaa group server radius ISE-GROUP-RADIUS
server name ISE_US01
server name ISE_US02
server name ISE_UK01
server name ISE_UK02
ip radius source-interface Vlan900

aaa authentication login console local
aaa authentication login vty local
aaa authentication dot1x default group ISE-GROUP-RADIUS
aaa authorization network default group ISE-GROUP-RADIUS
aaa authorization network TRUSTSEC group ISE-GROUP-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE-GROUP-RADIUS

aaa server radius dynamic-author

client 10.100.1.163 server-key

client 10.100.1.164 server-key 

cts authorization list TRUSTSEC

cts credentials id HK-DOT1XTEST-SW01 password

dot1x system-auth-control
dot1x critical eapol block

ip radius source-interface Vlan900

radius server ISE_US01
address ipv4 10.100.1.163 auth-port 1812 acct-port 1813
timeout 2
retransmit 3
pac key 
!
radius server ISE_US02
address ipv4 10.100.1.164 auth-port 1812 acct-port 1813
key 
!
radius server ISE_UK01
address ipv4 10.1.80.164 auth-port 1812 acct-port 1813
key