Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1337
Views
10
Helpful
2
Comments

Trustsec not working on Catalyst 9300 (16.12)

Josh Morris
Level 3
Level 3

on ‎06-15-2020 07:22 AM

I am trying to configure Trustsec for SGT propagation on a Catalyst 9300-48UXM on v16.12.3a. I will paste my config and output below. I can't get the PAC downloaded because it appears that the switch doesn't know about the ISE server. But I can't figure out what I'm doing wrong. This new switch is also a part of a new design which extends L3 to the access.

 

Output below: Server doesn't show up in 'show cts server-list', but does show up in 'show cts provisioning'

 

nzy1swidf01#show cts server-list
CTS Server Radius Load Balance = DISABLED
Server Group Deadtime = 20 secs (default)
Global Server Liveness Automated Test Deadtime = 20 secs
Global Server Liveness Automated Test Idle Time = 60 mins
Global Server Liveness Automated Test = ENABLED (default)

nzy1swidf01#show cts pro
nzy1swidf01#show cts provisioning
A-ID: Unknown
Server x.x.x.x, using shared secret
Req-ID 3a1b000d: callback func 0x7f5b61ea1a70, context 0x3f000005

nzy1swidf01#

 

!enable mode
cts credentials id <deviceid> password <password>
!
conf t
aaa group server radius ISE_RADIUS
 server name ISE_PSN_VS
 ip radius source-interface Loopback1
 !
 authentication logging verbose
 aaa authentication dot1x default group ISE_RADIUS
 aaa authorization network cts-list group ISE_RADIUS
 aaa accounting dot1x default start-stop group ISE_RADIUS
 cts authorization list cts-list
 radius-server vsa send authentication
 dot1x system-auth-control
!
radius server ISE_PSN_VS
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 pac key <key>
Comments
Josh Morris
Level 3
Level 3
‎06-15-2020 08:23 AM

I figured it out. I had the ip radius source-interface command listed under the radius server group. This was necessary in order for the endpoints to successfully auth. But CTS was still trying to use a different interface, so I had to also specify the global ip radius source-interface command. 

Roberto.Carmona
Level 1
Level 1
‎06-15-2020 09:44 AM

Thanks @Josh Morris , Good to know as I'm about to start a PoC for trustsec and will use this same switch model.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents