Showing results for 
Search instead for 
Did you mean: 

SDA trustsec config is not pushed by DNA



I am deploying software-defined access for a customer and i have trouble with the trustsec configuration.

The issue is that the DNA center did not push cts configuration to fabric switches. As a result there are a ton of "CTSREQUEST failed" radius logs in ISE, and we won't be able to push segmentation policies.


Maybe someone can clarify whether the cts configuration is supposed to be pushed by the DNA center or if we are supposed to do it manually ?

If the DNA center is supposed to do it, at which stage does it do so (discovery, provisioning, add to fabric )?


Thank you in advance,

Best regards.

Everyone's tags (4)
Rising star

Re: SDA trustsec config is not pushed by DNA

I have CTS deployed inside of my SDA fabric. DNAC should deploy most of your CTS configuration to your underlay devices. For example, based on how you setup dnac it should deploy things such as AAA statements, radius servers, CTS enforcement, etc. You have the option to configure your group based access control in DNAC and/or ISE. I personally like doing most of the CTS stuff in ISE. If you attempt to add SGTs in DNAC it will just open up your ISE tab.

As for your issue, CTSREQUEST failed, I have seen this before. Can you please ensure that you properly have your pxgrid connection setup between ISE & DNAC. Also, ensure that your underlay devices can reach ISE. Did you manually add your devices in ISE? DNAC should automatically populate the devices and populate your trustsec setup. Can you share the ISE log? You could have a dynamic author issue too.

Re: SDA trustsec config is not pushed by DNA

There are two steps:

1. When you assign devices to Site in DNAC, the network devices are populated into ISE

2. When you provision devices in DNAC, switches will receive all the respective AAA / radius config


Example config for step2:

!exec: enable
ip tacacs source-interface Loopback0
ip radius source-interface Loopback0
aaa new-model
ip http server
ip http authentication local
ip http max-connections 16
ip http secure-server
ip access-list extended ACL_WEBAUTH_REDIRECT
 30 permit tcp any any eq www
 40 permit tcp any any eq 443
 50 permit tcp any any eq 8443
 20 deny ip any host
 60 deny udp any any eq domain
 70 deny udp any eq bootpc  any eq bootps
aaa session-id common
aaa group server radius dnac-client-radius-group
 server name dnac-radius_10.168.124.5
 ip radius source-interface Loopback 0
aaa group server radius dnac-network-radius-group
 server name dnac-radius_10.168.124.5
 ip radius source-interface Loopback 0
aaa accounting identity default start-stop group dnac-client-radius-group
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group dnac-network-radius-group
aaa authorization network dnac-cts-list group dnac-client-radius-group
aaa authorization network default group dnac-client-radius-group
aaa authorization exec default local
aaa authorization exec VTY_author group dnac-network-radius-group local if-authenticated
aaa authentication login default local
aaa authentication dot1x default group dnac-client-radius-group
aaa authentication login VTY_authen group dnac-network-radius-group local
dot1x system-auth-control
radius server dnac-radius_10.168.124.5
 address ipv4 auth-port 1812 acct-port 1813
 pac key XXX
 retransmit 1
 timeout 2
radius-server vsa send authentication
radius-server vsa send accounting
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 25 access-request include
radius-server attribute 8 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
cts authorization list dnac-cts-list
line vty 0 15
 login authentication VTY_authen
 authorization exec VTY_author
 transport input all
aaa server radius dynamic-author
 client server-key XXX
 client server-key XXX
ip domain-lookup
ip name-server
ip domain name tmelab.local
service password-encryption
banner motd #Welcome to SDA TME Lab#
!exec: enable


Can you please post the output of "sh cts pacs", "sh run aaa" from Fabric Edge switch?


When you add devices to the fabric, and host onboarding, we push more config like cts role-based enforcement, cts role-based enforcement vlan-list 1021

Cisco Employee

Re: SDA trustsec config is not pushed by DNA

Hello Tom,


Can you clarify what you meant by trustsec configs? Is it the CTS environment data or SGACL? If its related to CTS Environment data, then may be you hitting this bug..

I am not aware of a fix for this and i know its WIP AFAIK.. 



Mahesh N

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards