Impossible to configure CTS credentials for Cisco C9300 device

lnw-team · ‎12-30-2022

Hello,

I've recently configured and deployed two new, out-of-the box Cisco Catalyst C9300 access switches. After connecting the devices to the existing infrastructure, users were able to authenticate via dot1x. They were hitting the right policy. Appropriate profile (VLAN assignment) and security policy were assigned to the authenticated device. However, I ws unable to create CTS credentials on the new devices. I received the following error:

xxx-xxx-03(config)#cts credentials id xxx-xxx-03 pass

xxx-xxx-03(config)#$xxxx-SWA1-03 password xxxxxxxx

Unable to insert secret into keystore.

Dec 28 10:06:29.085 MEZ: %KEYSTORE-3-NO_KEYSTORE: CTS hardware keystore is not responsive and software emulation is not enabled.

My question is: can CTS work properly without these credentials if I create dedicated CTS user with privilege level 15?

Thank you in advance!

balaji.bandi · ‎12-30-2022

Do you AAA configuration on the device - post show run and show version

check CTS deployment guide :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-6/configuration_guide/cts/b_176_cts_9300_cg/cisco_trustsec_overview.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/command_sum.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Andrii Oliinyk · ‎02-28-2023

Hello Balaji
for me this output appears on the C9300L (17.3.5) with just "show cts" command issued & cts not configured on the device. shouldnt all C9300 series support H/W CTS keystore? cannot google anything on it