Solved: CoA in TrustSec & Enforcement

1263846Osmanoglu · ‎06-28-2016

I’m trying to implement Cisco TrustSec (partly) using Cisco ISE. I’m using a Cisco Catalyst 3560x Switch and ISE version 2.0. Within ISE, I go through the steps of TrustSec and set the settings. I have done the right configurations on the switch (I think). I want to download the environment data (created in ISE) to my switch now. This should work with CoA. I have configured this yet.

What I have configured on the switch is:

'' Aaa-server radius dynamic author "+" client [ip ISE] server-key [radius key] "

However, I can’t download the environment data to the switch. Could you maybe help and / or advice with this? Maybe you have a tip or (configuration) manual which I can use to properly configure the settings?

The error I get is: CoA failed --> Dynamic Authorization Failed for Device

I Also have another question about the enforcement of TrustSec on my switch.

I’ve read many configuration guides about TrustSec and tried to activate the enforcement on my switch.

I’m using the following command: ‘cts role-based enforcement’. But it doesn’t work, because my switch can’t recognize the command. Is that the right command to enable enforcement on my switch?

I’m using the Cisco Catalyst Switch 3560X. Version: 15.0(1)SE.

The CoA notification to push 'Security Group Tag's'' is working fine, but the CoA to push SGACL or the matrix doesn't work and results in a failed notification.

Could you please help me as soon as possible?

Kevin Regan · ‎06-29-2016

Sait,

You will need to be using 15.0(2)SE or later - that is when SGACL support was introduced to the 3560X, IP Base license needed also.

With that version or later, you could check that these steps have been done:-

On the Catalyst

! Enabling AAA

Switch#config t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#aaa new-model

Switch(config)#cts authorization list <AUTHZ_List_Name>

! Define RADIUS server with pac keyword

Switch(config)#aaa authentication dot1x default group radius

Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius

! Define authorization list name for the TrustSec policy keyword

Switch(config)#cts authorization list <AUTHZ_List_Name>

! Use default AAA group for 802.1X and ‘defined authorisation list for authorisation

Switch(config)#aaa authentication dot1x default group radius

Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius

! Configure RADIUS server to use VSA in authentication request

Switch(config)#radius-server vsa send authentication

! Enable 802.1X in system level

Switch(config)#dot1x system-auth-control

! Define device credential (EAP-FAST I-ID), which must match ones in ISE AAA client configuration

! Please note this is not in the config - this is in exec mode

Switch#cts credential id <DEVICE_ID> password <DEVICE_PASSWORD>

! The device_ID and device_password must match those in ISE (In Admin - go to network devices - and for your switch go down to the Advanced TrustSec settings to check they match)

With those config steps done, hope that if you ran the following commands you would see data downloaded from ISE

show cts pacs

show cts environment-data

If you want to see the output to expect you will find a variety of docs, but if you search on the CiscoLive sites for BRKSEC-3690 you would find slides that cover this by Darrin Miller or myself with troubleshooting steps.

Hope this helps,

Kevin

View solution in original post

Kevin Regan · ‎06-29-2016

Sait,

You will need to be using 15.0(2)SE or later - that is when SGACL support was introduced to the 3560X, IP Base license needed also.

With that version or later, you could check that these steps have been done:-

On the Catalyst

! Enabling AAA

Switch#config t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#aaa new-model

Switch(config)#cts authorization list <AUTHZ_List_Name>

! Define RADIUS server with pac keyword

Switch(config)#aaa authentication dot1x default group radius

Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius

! Define authorization list name for the TrustSec policy keyword

Switch(config)#cts authorization list <AUTHZ_List_Name>

! Use default AAA group for 802.1X and ‘defined authorisation list for authorisation

Switch(config)#aaa authentication dot1x default group radius

Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius

! Configure RADIUS server to use VSA in authentication request

Switch(config)#radius-server vsa send authentication

! Enable 802.1X in system level

Switch(config)#dot1x system-auth-control

! Define device credential (EAP-FAST I-ID), which must match ones in ISE AAA client configuration

! Please note this is not in the config - this is in exec mode

Switch#cts credential id <DEVICE_ID> password <DEVICE_PASSWORD>

! The device_ID and device_password must match those in ISE (In Admin - go to network devices - and for your switch go down to the Advanced TrustSec settings to check they match)

With those config steps done, hope that if you ran the following commands you would see data downloaded from ISE

show cts pacs

show cts environment-data

If you want to see the output to expect you will find a variety of docs, but if you search on the CiscoLive sites for BRKSEC-3690 you would find slides that cover this by Darrin Miller or myself with troubleshooting steps.

Hope this helps,

Kevin

mjessup · ‎10-28-2016

Hello Sait,

Please also reference some of the technical documents found at http://www.cisco.com/go/trustsec. There you will find a number of reference documents that should help as well.

Mike