topic Re: Cisco ISE SGT's Not Being Enforced in Network Access Control

Cisco ISE SGT's Not Being Enforced

ryanbess — Tue, 30 Jan 2024 02:23:14 GMT

First off thanks for everyone who has helped answer questions in the past. I'm now starting the CTS part of my ISE learning. In the matrix i have enabled the default permission to be disabled, thus all SGTs should not be able to communicate with each other. I then configured 2 windows 11 computers so they they would get different SGTs but for some reason they can still ping each other and connect to other ports. Can someone point me in the direction for where to look to see what's going on?

When i run "show cts role-based permissions" i see the below. The Permit IP-00 should be a deny i think since in the matrix (per the above) i set it to disabled (see attached print screen).

show cts role-based p
sw02#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

Re: Cisco ISE SGT's Not Being Enforced

Rob Ingram — Tue, 30 Jan 2024 08:58:29 GMT

@ryanbess is the switch configured correctly and has received the TrustSec environment data? Run show cts environment-data to confirm.

Re: Cisco ISE SGT's Not Being Enforced

Aref Alsouqi — Tue, 30 Jan 2024 09:47:24 GMT

In addition to what @Rob Ingram mentioned, could you please share the output of the commands "show cts pacs" and "show cts rbacl" for review?

Also, what version of ISE you are using? please note that as of ISE 3.1+ TLS 1.0 is disabled by default. In that case the CTS environment and PAC data won't be transferred over the traditional way (RADIUS) and you would need to enable HTTPS with REST API to transfer those data and stay away from TLS 1.0.

You also need to apply some configs on the NAD and the NAD has to be running a 16.2.2 release or higher. I can provide the required configs on the NAD if that is the case.