I am trying to configure Trustsec for SGT propagation on a Catalyst 9300-48UXM on v16.12.3a. I will paste my config and output below. I can't get the PAC downloaded because it appears that the switch doesn't know about the ISE server. But I can't figure out what I'm doing wrong. This new switch is also a part of a new design which extends L3 to the access.
Output below: Server doesn't show up in 'show cts server-list', but does show up in 'show cts provisioning'
nzy1swidf01#show cts server-list
CTS Server Radius Load Balance = DISABLED
Server Group Deadtime = 20 secs (default)
Global Server Liveness Automated Test Deadtime = 20 secs
Global Server Liveness Automated Test Idle Time = 60 mins
Global Server Liveness Automated Test = ENABLED (default)
nzy1swidf01#show cts pro
nzy1swidf01#show cts provisioning
A-ID: Unknown
Server x.x.x.x, using shared secret
Req-ID 3a1b000d: callback func 0x7f5b61ea1a70, context 0x3f000005
nzy1swidf01#
!enable mode
cts credentials id <deviceid> password <password>
!
conf t
aaa group server radius ISE_RADIUS
server name ISE_PSN_VS
ip radius source-interface Loopback1
!
authentication logging verbose
aaa authentication dot1x default group ISE_RADIUS
aaa authorization network cts-list group ISE_RADIUS
aaa accounting dot1x default start-stop group ISE_RADIUS
cts authorization list cts-list
radius-server vsa send authentication
dot1x system-auth-control
!
radius server ISE_PSN_VS
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
pac key <key>