In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniquely classifying data traffic for a particular role.
Understanding SGT Transport Mechanisms:
Inline Tagging (data plane): if device supports SGT in its ASIC
SXP (control plane): shared between devices that do not have SGT-capable hardware
Multiple options for SGT transport over non CTS L3 network:
By default you can go from SXP to inline tagging
To go inline tagging to SXP you must use SGT caching
SGT can be carried inband with:
VXLAN
DMVPN
GETVPN
Note that IP/SGT get carried in SXP out of band
Example of IOS SXP Configuration:
3750:
cts sxp enable
cts sxp connection peer x.x.x.x source x.x.x.x password default mode local
6K:
cts sxp enable
cts sxp default password cisco123
3K:
cts sxp connection peer x.x.x.x source x.x.x.x password default mode local listener hold-time 0 0
WLC:
cts sxp connection peer x.x.x.x source x.x.x.x password default local listener hold-time 0 0
Steps to configure a device in ISE as a trustsec device AKA SGT device:
Configure radius shared secret
Enable advanced trustsec use device-id + password
Best practice for timers is to set for a long duration so policy is only updated on the device via an explicit push/workflow
Configuring a catalyst switch for SGT:
Following CLI is required to turn on NDAC (authenticate device to ISE and receive policies including SGACL from ISE)
step1: enable aaa
#aaa new-model
step2: define radius server with PAC keyword
#radius-server host <ISE_PSN> pac key <radius shared secret>
step 3: define authorization list name for trustsec policy download
#cts authorization list <authz_list_name>
step 4: use aaa group for 802.1x and defined authz list for authorization
#aaa authentication dot1x default group radius
#aaa authorization network <authz list name> group radius
step 5:configure radius server to use VSA auth request
#radius-server vsa send authentication
step 6: enable dot1x globally
#dot1x system-auth-control
step 7: define device credential (EAP-FAST ID) which must match the ones in ISE AAA client configuration
#cts credential id <device id> password <device password>
**NOTE: device credential under ios is configured in enable mode, not in config mode & NX-OS gets configured in config mode**
VERIFYING CTS ENVIRONMENT DATA:
#show cts environment-data
Example of activating SGACL Enforcement on IOS Switch:
Enabling SGACL enforcement globally and for vlan:
#cts role-based enforcement
#cts role-based enforcement vlan-list xx
Defining IP to SGT mapping for servers - shown via cli but can be pushed from ISE to cli or via SXP:
#cts role-based sgt-map 1.1.1.1 sgt 100
#cts role-based sgt-map 10.10.10.10 sgt 20
#cts role-based sgt-map 10.x.x.x sgt 30
Downloading Policy on IOS Switch:
SGACL Download Server list:
NAD can be configured to speak to ISE via real IP of PSN or SLB virtual IP address for CTS
Regardless the NAD will download from the IPs in the server list (should be PSNs)
ISE SGACL Policy PUSH:
Applies to SGACL, environmental data, server-list:
#aaa server radius dynamic-author
#client x.x.x.x server-key 7 XXX --should be pan IP for COA
#client x.x.x.x server-key 7 XXX --add psn for 802.1x auth COA
View SGACL Policy on IOS Switch:
#show cts role-based permissions
Verify SGACL Drops:
#show cts role-based counters
Device Tracking is fundamental to IP/SGT Entries:
IP/SGT Programming Happens after Device Tracking Learning:
#show cts role-based sgt-map all detail
Troubleshoot SGACL Download Errors:
#show aaa servers --verify AAA is reachable
#show cts pac all --validate device has a PAC
#show cts environmental-data --validate device can communicate with ISE by checking env data
No IP/SGT on switch because of error in device tracking
Brief example on configuring links for SGT Tagging:
interface eth1/0
cts manual
policy static sgt 2 trusted
Additional good-to-knows:
For port-channel support - CTS is configured on the physical interface then added to the port channel
#show cts interface brief --will show you if propagate SGT is enabled
Best practice is to shut/no shut interface for any cts manual changes
Enabling inline tagging for DMVPN #cts sgt inline --enabled under tunnel interface
That wraps up this tidbit on Trustsec :) Cheers!