Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco TrustSec Catalyst 3650

Hi:

I am attempting to follow the Cisco TrustSec Deployment guide (http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf).

So far things have been going well. I am at the point of adding in my Seed device. After completing the setup on ISE and then the switch itself (a Cisco Catalyst 3650) I am note that the environment data doesn't appear to have been download. However the PAC file is successfully generated.

fos01-l3-01#show cts pacs 

  AID: 43157A4E6832894FE4952D0A1F6167BB

  PAC-Info:

    PAC-type = Cisco Trustsec

    AID: 43157A4E6832894FE4952D0A1F6167BB

    I-ID: fos01-l3-01

    A-ID-Info: fos01-ise-01v

    Credential Lifetime: 11:00:43 PST Jan 22 2015

  PAC-Opaque: 000200B8000300010004001043157A4E6832894FE4952D0A1F6167BB0006009C00030100B3696FBA1F7ABE1DAB104CCB18E875850000001354483C8400093A80B5EF16086495444FD0BDB5A88AE9AA775DE1A1AC483A2770B0C5A22D00B2386EFA6BE4847D7CBF2A6FD3C4D623DCD624AB1916A9E3960E082A8897B45D894E9CFDAA6FA8BFF5CBB1E30D17CF985B2913BF6FB105EAE5103DA2E017FB35EA06887D45F99C7D27FC987AE25EF0358CF08CFB4F7D000AC3A42E87640BA1

  Refresh timer is set for 12w5d

fos01-l3-01#show cts environment-data 

CTS Environment Data

====================

Current state = START

Last status = Failed

Environment data is empty

State Machine is running

Retry_timer (60 secs) is running

 

As you can see it says Last status = Failed. 

Enabling debug logging for cts outputs the following

Oct 24 17:35:12.455: CTS env-data: Time to retry env data download

Oct 24 17:35:12.455:     cts_env_data START: during state env_data_start, got event 0(env_data_request)

Oct 24 17:35:12.455: @@@ cts_env_data START: env_data_start -> env_data_waiting_rsp

Oct 24 17:35:12.455: env_data_waiting_rsp_enter: state = WAITING_RESPONSE

Oct 24 17:35:12.455: cts_aaa_is_fragmented: (CTS env-data SM)NOT-FRAG attr_q(0)

Oct 24 17:35:12.455: env_data_request_action: state = WAITING_RESPONSE

Oct 24 17:35:12.455: cts_env_data_is_complete: FALSE, req(x0), rec(x0) 

Oct 24 17:35:12.455: cts_env_data_is_complete: FALSE, req(x0), rec(x0), expect(x81), complete1(x85), complete2(xB5), complete3(x1485)

Oct 24 17:35:12.456: env_data_request_action: state = WAITING_RESPONSE, received = 0x0 request = 0x0

 

Oct 24 17:35:12.456: cts_env_data_aaa_req_setup : aaa_id = 4240

Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)Private group appears DEAD, attempt public group

Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)No public method list found

Oct 24 17:35:12.456: cts_aaa_req_setup: (CTS env-data SM)Failed to get AAA method list handle.

Oct 24 17:35:12.456:     cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 7(env_data_failed)

Oct 24 17:35:12.456: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_start

Oct 24 17:35:12.456: env_data_start_enter: state = START

Oct 24 17:35:12.456: env_data_error_action: state = START

Oct 24 17:35:12.456: env_data_error_action: state = START, received = 0x0 request = 0x0

Within ISE itself it shows a successful authentication and PAC generation. However the log messages there are as follows. Not sure if it is significant that it says Access-Reject status at the end.

 

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15012Selected Access Service
 11507Extracted EAP-Response/Identity
 12100Prepared EAP-Request proposing EAP-FAST with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12102Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
 12800Extracted first TLS record; TLS handshake started
 12805Extracted TLS ClientHello message
 12806Prepared TLS ServerHello message
 12808Prepared TLS ServerKeyExchange message
 12810Prepared TLS ServerDone message
 12105Prepared EAP-Request with another EAP-FAST challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12104Extracted EAP-Response containing EAP-FAST challenge-response
 12812Extracted TLS ClientKeyExchange message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 12131EAP-FAST built anonymous tunnel for purpose of PAC provisioning
 12105Prepared EAP-Request with another EAP-FAST challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12104Extracted EAP-Response containing EAP-FAST challenge-response
 12125EAP-FAST inner method started
 11521Prepared EAP-Request/Identity for inner EAP method
 12105Prepared EAP-Request with another EAP-FAST challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12104Extracted EAP-Response containing EAP-FAST challenge-response
 11522Extracted EAP-Response/Identity for inner EAP method
 11806Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
 12105Prepared EAP-Request with another EAP-FAST challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12104Extracted EAP-Response containing EAP-FAST challenge-response
 11808Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
 15041Evaluating Identity Policy
 15013Selected Identity Source - Internal CTS Devices
 24213Found SGA Device in Network Devices and AAA Clients
 22037Authentication Passed
 11824EAP-MSCHAP authentication attempt passed
 12105Prepared EAP-Request with another EAP-FAST challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12104Extracted EAP-Response containing EAP-FAST challenge-response
 11810Extracted EAP-Response for inner method containing MSCHAP challenge-response
 11814Inner EAP-MSCHAP authentication succeeded
 11519Prepared EAP-Success for inner EAP method
 12128EAP-FAST inner method finished successfully
 12105Prepared EAP-Request with another EAP-FAST challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12104Extracted EAP-Response containing EAP-FAST challenge-response
 12126EAP-FAST cryptobinding verification passed
 12200Approved EAP-FAST client Tunnel PAC request
 15016Selected Authorization Profile -
 12173Successfully finished EAP-FAST CTS PAC provisioning/update
 12105Prepared EAP-Request with another EAP-FAST challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12104Extracted EAP-Response containing EAP-FAST challenge-response
 11401Prepared RADIUS Access-Reject after the successful in-band PAC provisioning
 11504Prepared EAP-Failure
 11003Returned RADIUS Access-Reject 

 

Any insight would be appreciated. 

 

Thanks

6 REPLIES
New Member

Hi Mattew,I'm trying to

Hi Mattew,

I'm trying to integrate TrustSec as well, using Cisco ISE, on 3560 switch as a seed device. I'm getting the exact same symptoms as you do - the ISE reports that the switch has successfully authenticated, but no environmental data has been downloaded.

I followed this guide for configuring the ISE and the switch.

Have you been able to resolve this issue?

 

Thank you very much.

New Member

I also have the same issue

I also have the same issue.

Has anyone found a solution yet?

 

Thanks

New Member

Check out my reply above and

Check out my reply above and see if that helps.

New Member

Hi, my AAA Authorization

Hi, my AAA Authorization network command is correct. Yet the problem persist. Anyone found any solution for this?

Appreciate if anyone could shed some light here.

Thanks 

New Member

Can you post the output of

Can you post the output of "show run aaa"? I was having the same issue and it was the syntax of the "aaa authorization network" statement. I was incorrectly specifying the method list.

It should look like this:

aaa authorization network [radius-server-group] group radius 

I had it like this before and it wasn't working:

aaa authorization network cts group [radius-server-group]

Good luck,

Ryan

New Member

Re: Cisco TrustSec Catalyst 3650

my problem was I forgot the
cts authorization list <auth-list>
there was an aaa radius list to use, but I never told it to use it.
558
Views
0
Helpful
6
Replies