Trustsec - Tidbit

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniquely classifying data traffic for a particular role.


Understanding SGT Transport Mechanisms:

  • Inline Tagging (data plane): if device supports SGT in its ASIC

  • SXP (control plane): shared between devices that do not have SGT-capable hardware

Multiple options for SGT transport over non CTS L3 network:

  • By default you can go from SXP to inline tagging

  • To go inline tagging to SXP you must use SGT caching

  • SGT can be carried inband with:

VXLAN

DMVPN

GETVPN

  • Note that IP/SGT get carried in SXP out of band


Example of IOS SXP Configuration:


3750:

cts sxp enable

cts sxp connection peer x.x.x.x source x.x.x.x password default mode local


6K:

cts sxp enable

cts sxp default password cisco123


3K:

cts sxp connection peer x.x.x.x source x.x.x.x password default mode local listener hold-time 0 0


WLC:

cts sxp connection peer x.x.x.x source x.x.x.x password default local listener hold-time 0 0


Steps to configure a device in ISE as a trustsec device AKA SGT device:

  • Configure radius shared secret

  • Enable advanced trustsec use device-id + password

  • Best practice for timers is to set for a long duration so policy is only updated on the device via an explicit push/workflow

Configuring a catalyst switch for SGT:


Following CLI is required to turn on NDAC (authenticate device to ISE and receive policies including SGACL from ISE)

  • step1: enable aaa

#aaa new-model

  • step2: define radius server with PAC keyword

#radius-server host <ISE_PSN> pac key <radius shared secret>

  • step 3: define authorization list name for trustsec policy download

#cts authorization list <authz_list_name>

  • step 4: use aaa group for 802.1x and defined authz list for authorization

#aaa authentication dot1x default group radius

#aaa authorization network <authz list name> group radius

  • step 5:configure radius server to use VSA auth request

#radius-server vsa send authentication

  • step 6: enable dot1x globally

#dot1x system-auth-control

  • step 7: define device credential (EAP-FAST ID) which must match the ones in ISE AAA client configuration

#cts credential id <device id> password <device password>


**NOTE: device credential under ios is configured in enable mode, not in config mode & NX-OS gets configured in config mode**


VERIFYING CTS ENVIRONMENT DATA:

  • #show cts environment-data

Example of activating SGACL Enforcement on IOS Switch:

  • Enabling SGACL enforcement globally and for vlan:

#cts role-based enforcement

#cts role-based enforcement vlan-list xx


Defining IP to SGT mapping for servers - shown via cli but can be pushed from ISE to cli or via SXP:


#cts role-based sgt-map 1.1.1.1 sgt 100

#cts role-based sgt-map 10.10.10.10 sgt 20

#cts role-based sgt-map 10.x.x.x sgt 30


Downloading Policy on IOS Switch:

  • #cts refresh environment-data

  • #cts refresh policy


SGACL Download Server list:

  • NAD can be configured to speak to ISE via real IP of PSN or SLB virtual IP address for CTS

  • Regardless the NAD will download from the IPs in the server list (should be PSNs)


ISE SGACL Policy PUSH:

Applies to SGACL, environmental data, server-list:

  • #aaa server radius dynamic-author

  • #client x.x.x.x server-key 7 XXX --should be pan IP for COA

  • #client x.x.x.x server-key 7 XXX --add psn for 802.1x auth COA

View SGACL Policy on IOS Switch:

  • #show cts role-based permissions

Verify SGACL Drops:

  • #show cts role-based counters

Device Tracking is fundamental to IP/SGT Entries:

  • #show ip device tracking all --ios-xe 3.x

  • #show device-tracking database --ios-xe 16.x

IP/SGT Programming Happens after Device Tracking Learning:

  • #show cts role-based sgt-map all detail

Troubleshoot SGACL Download Errors:

  • #show aaa servers --verify AAA is reachable

  • #show cts pac all --validate device has a PAC

  • #show cts environmental-data --validate device can communicate with ISE by checking env data

  • No IP/SGT on switch because of error in device tracking


Brief example on configuring links for SGT Tagging:

interface eth1/0

cts manual

policy static sgt 2 trusted


Additional good-to-knows:

  • For port-channel support - CTS is configured on the physical interface then added to the port channel

  • #show cts interface brief --will show you if propagate SGT is enabled

  • Best practice is to shut/no shut interface for any cts manual changes

  • Enabling inline tagging for DMVPN #cts sgt inline --enabled under tunnel interface

That wraps up this tidbit on Trustsec :) Cheers!

0 comments

Recent Posts

See All

"The What?" - In this post I want to cover Identity Based Networking Services (IBNS) 2.0 to include benefits, configuration, & simply a general understanding of it. At first glance it can be a bit ov

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization