Jump to content


2

Issue CTS on SW2 (i86bi_linux_l2-ipbasek9-ms.high_iron_aug9_2017b.bin)


13 replies to this topic

#1 Oz001

Oz001

    Member

  • Members
  • PipPip
  • 20 posts
  • 130 thanks

Posted 07 May 2018 - 07:15 PM

HI all,


I am facing with a problem with CTS configuration

I've configured either on SW2 or ISE

Side Switch iol (i86bi_linux_l2-ipbasek9-ms.high_iron_aug9_2017b.bin) : after launched  the command  : CTS credentials id xxx pass xxx ,  i digit sho cts pacs and i get this : No PACs found in the key store.

Side ISE on logs i've this error : 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute
   5405 RADIUS Request dropped

Trying to figured out if is a problem of ios / ise or a mine configuration issue.

Is there any one has idea about it ?


Kindly appreciate any help

Thanks

Regards

Edited by Oz001, 07 May 2018 - 07:17 PM.


#2 tamanz77

tamanz77

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • 2 thanks

Posted 08 May 2018 - 09:10 PM

Hello,

Did you generate the pac file on ISE and import it to ASA?
After that only you can configure cts on both ASA and switch.

#3 maxias

maxias

    Junior Member

  • Members
  • PipPip
  • 2 posts
  • 6 thanks

Posted 09 May 2018 - 08:57 AM

View PostOz001, on 07 May 2018 - 07:15 PM, said:

HI all,


I am facing with a problem with CTS configuration

I've configured either on SW2 or ISE

Side Switch iol (i86bi_linux_l2-ipbasek9-ms.high_iron_aug9_2017b.bin) : after launched  the command  : CTS credentials id xxx pass xxx ,  i digit sho cts pacs and i get this : No PACs found in the key store.

Side ISE on logs i've this error : 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute
   5405 RADIUS Request dropped

Trying to figured out if is a problem of ios / ise or a mine configuration issue.

Is there any one has idea about it ?


Kindly appreciate any help

Thanks

Regards

hi
do you have "
i86bi_linux_l2-ipbasek9-ms.high_iron_aug9_2017b.bin" image?

please share the image. thanks in advance.

Thanked by 1 Member:
oranges123

#4 Oz001

Oz001

    Member

  • Members
  • PipPip
  • 20 posts
  • 130 thanks

Posted 22 May 2018 - 01:45 PM

HI Tamanz77, could pls to be more clear ?

After i've imported the PAC create on ISE  on vASA, I've configured SXP on vASA and vSwitch as follow :


vASA

aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 150.1.7.212
key *****
cts server-group ISE
cts sxp enable
cts sxp default password *****
cts sxp default source-ip 150.1.7.60
cts sxp connection peer 150.1.7.45 source 150.1.7.60 password default mode peer speaker


ASA3/admin# sh cts pac

  PAC-Info:
    Valid until: May 11 2028 21:52:10
    AID:         092241a970f8b469bba28c7baaa4437c
    I-ID:        ASA3
    A-ID-Info:   ISE
    PAC-type:    Cisco Trustsec
  PAC-Opaque:
    000200b00003000100040010092241a970f8b469bba28c7baaa4437c00060094000301
    00cdd823cd0fb080d6ac3e11e10768110d000000135af5f92100093a8071ca294ced19
    c3594e9c7f5d6fcfa5538eadfadbe4412bf97f877f42c42a22b4575e6afcd0314c26ae
    2b40eae3152ec2424616e462beb33f21814315de9527d72bc30d27c6c8865a3a17c59b
    5d22a2c973aecd356d20b7313850d3756aed022eae98da9bcb9ed527fb197f5d86f8b6
    60c59243ec


ASA3/admin# cts refresh environment-data
Environment data update in progress


ASA3/admin# sh cts  environment-data
CTS Environment Data
====================
Status:                    Not Present
Last download attempt:     Failed ----> Here is the problem !
Last update time:          None
Env-data refreshes in:     0:00:00:29 (dd:hr:mm:sec)
Retry timer (60 secs) is running



On Vswitch


cts sxp enable
cts sxp default source-ip 150.1.7.45
cts sxp default password xxxx
cts sxp connection peer 150.1.7.60 source 150.1.7.45 password default mode peer listener hold-time 0

Do we need at least a Physical Switch 3750E to do that ?



Any Idea.

Thanks

#5 Oz001

Oz001

    Member

  • Members
  • PipPip
  • 20 posts
  • 130 thanks

Posted 22 May 2018 - 02:31 PM

HI Maxias

The link for the image :
Hidden Content
You'll be able to see the hidden content once you press the thanks button.


Thanked by 85 Members:

#6 blatz

blatz

    Member

  • Members
  • PipPip
  • 45 posts
  • 509 thanks

Posted 23 May 2018 - 01:49 PM

I bought a 3750X POE to practice this :)

Thanked by 1 Member:
killervirus

#7 Oz001

Oz001

    Member

  • Members
  • PipPip
  • 20 posts
  • 130 thanks

Posted 25 May 2018 - 02:02 PM

Hi i've just got a Phy Swith for the lab, but now i've a problem to establish a  SXP connection between  Phy switch and vASA .

Following logs, is not much ..

*Jan  2 00:47:27.177: %CTS-6-SXP_TIMER_STOP: Connection <0.0.0.0, 0.0.0.0> retry open timer stopped.
*Jan  2 00:47:27.177: %CTS-6-SXP_CONN_STATE_CHG: Connection <150.1.7.60, 150.1.7.47>-1 state changed from Off to Pending_On.
*Jan  2 00:47:27.177: %CTS-6-SXP_TIMER_START: Connection <0.0.0.0, 0.0.0.0> retry open timer started.

[cts sxp conn error]: sxp_eval_src_ip: Not a valid self ip addr [150.1.7.60] is the ip of ASA

Is moving from Pending to OFF

Is necessary  a phy ASA or it's works also   with a vASA ? In case which conf do u adopt  for (sxp) ?



OK was mine silly mistake, i was using the dhcp mgmt pool ip instead the phy ip, changed it, now it's works ^^

ASA3/admin# sh cts  environment-data
CTS Environment Data
====================
Status:                    Active
Last download attempt:     Successful
Environment Data Lifetime: 86400 secs
Last update time:          18:56:24 UTC May 15 2018
Env-data expires in:       0:23:59:23 (dd:hr:mm:sec)
Env-data refreshes in:     0:23:49:23 (dd:hr:mm:sec)

Thanks

Regards

Edited by Oz001, 25 May 2018 - 02:39 PM.


#8 mis90

mis90

    Member

  • Members
  • PipPip
  • 23 posts
  • 444 thanks

Posted 25 May 2018 - 02:12 PM

Hi Guys,

Can you share this on the Shares section, the images itself. Thanks

#9 Sahil777khan123

Sahil777khan123

    Member

  • Members
  • PipPip
  • 25 posts
  • 5 thanks

Posted 04 June 2018 - 08:16 AM

Guys I know how to solve this issue, If still anyone have this issue let me know

#10 salemmya

salemmya

    Member

  • Members
  • PipPip
  • 20 posts
  • 36 thanks

Posted 01 July 2018 - 07:02 AM

View PostSahil777khan123, on 04 June 2018 - 08:16 AM, said:

Guys I know how to solve this issue, If still anyone have this issue let me know

Hi
I,m facing the same issue with vASA and physical swithc 3750 and with 3850 3.06.
can you share your solution.
11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute

Thanks

Edited by salemmya, 01 July 2018 - 07:03 AM.


#11 Sahil777khan123

Sahil777khan123

    Member

  • Members
  • PipPip
  • 25 posts
  • 5 thanks

Posted 01 July 2018 - 07:52 AM

View Postsalemmya, on 01 July 2018 - 07:02 AM, said:

Hi
I,m facing the same issue with vASA and physical swithc 3750 and with 3850 3.06.
can you share your solution.
11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute

Thanks
1-clear cts credentials
2- radius server (name)
pac key (name)  instead of server key
wait for some time it will work .

dont forget to add this command

cts authorize list (name of radius server)

Edited by Sahil777khan123, 01 July 2018 - 07:57 AM.


#12 salemmya

salemmya

    Member

  • Members
  • PipPip
  • 20 posts
  • 36 thanks

Posted 02 July 2018 - 08:12 AM

View PostSahil777khan123, on 01 July 2018 - 07:52 AM, said:

1-clear cts credentials
2- radius server (name)
pac key (name)  instead of server key
wait for some time it will work .

dont forget to add this command

cts authorize list (name of radius server)

Thanks, I'll give it a try.

#13 DDOS

DDOS

    Member

  • Members
  • PipPip
  • 22 posts
  • 23 thanks

Posted 03 September 2018 - 05:10 PM

View Postsalemmya, on 02 July 2018 - 08:12 AM, said:

Thanks, I'll give it a try.

I face same issue. did any one have solution ?

#14 gabru

gabru

    Junior Member

  • Members
  • PipPip
  • 4 posts
  • 4 thanks

Posted 06 September 2018 - 03:23 AM

View PostSahil777khan123, on 01 July 2018 - 07:52 AM, said:

1-clear cts credentials
2- radius server (name)
pac key (name)  instead of server key
wait for some time it will work .

dont forget to add this command

cts authorize list (name of radius server)

I am struggling to configure it since past few days with no success. ISE is dropping the RADIUS request packets due missing credentials (error: 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute). I have supplied cts credentials many times over and still no go.

Can anyone please throw me a bone and share how they got it working?

Thanks,

Thanked by 1 Member:
tonythetiger



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top