04-11-2016 05:09 AM - edited 03-10-2019 11:39 PM
Endpoint connects to a Cisco switch (that supports SGT insertion/SGACL). Endpoint is correctly profiled, and CoA (SGT) is passed back, and the switch shows the correct SGT-IP binding. SGACL's are config'd to by dynamic, and when doing a "show cts rbacl" the SGACLs show up (both the default permit statement + my unique SGACL ACE, but my unique ACE is not installed in the global ACL table. When doing a "show access-list" , the default ACE installs but my unique ACE isn't present.
Executing a "show cts role-based permissions" = FALSE. I have the CTS role-based enforcement global command + the CTS role-based VLAN list command (as we're intending on using that). I removed and re-added the commands just in case and refreshed the CTS policy + env, but no dice.
My assumption is that since the permissions are FALSE, the entry isn't being installed in the global ACL table. What variables should one address to fix the permissions?
Thx much in advance!
Solved! Go to Solution.
04-11-2016 11:55 AM
Yes, that is expected. "deny ip any any" is not a valid SGACL. To discover the correct syntax you can check what is available using the CLI by configuring the SGACL manually (as a test).
I'm not sure what the commands are on the IE4k as you're using pre-release code.
However, on IOS the command is 'ip access-list role-based x' and on NX-OS it is "cts role-based access-list x'. Whichever has been implemented for the IE4k, enter that configuration menu and see what's available.
Regards, Jonothan.
04-11-2016 05:24 AM
Hi Anthony,
please let us know the product type and software version running.
Also please paste the output of "show cts role-based permissions" and relevant "sh run" commands (perhaps a "sh run | inc cts".
Thanks, Jonothan
04-11-2016 06:31 AM
Hello Jonathon,
I'm helping the IE switching team test out their new TrustSec code. Product name is the IE4K. Code = ie4000-universalk9-mz.152-5.1.36i.E.bin
Able to download the SGTs, map them fine to IP addy's, even download the appropriate SGACL, but since the permissions are FALSE, the ACE doesn't get installed in the global ACL table. Looking to see how I can fix the permissions.
I'd rather not look down the "bug path", until I try everything. The switching team looked at the IE4k switch config, which looks ok. They said "if" there was a config issue, perhaps it might be on the ISE side.
Thx for your assistance!
04-11-2016 07:09 AM
Right, so you have an early release of 15.2(5) which should support SGACL.
That being the case, I can only tell you how it's meant to work.
OK, so unless you have configured your SGACL manually via CLI, in ISE you have a SGACL configured as:
deny ip any host 10.75.1.25
permit ip any any
SGACL's should never include IP addresses. It's L4 only (apart from the catch-alls of deny ip or permit ip).
Policies are built from role/group/SGT x to role/group/SGT y and these roles/groups can reside anywhere on the customers network and can therefore be using any subnet. So, the IP addresses of the clients using these policies can be anything.
So, typical examples of SGACLs are:
1) permit ip
2) deny ip
3) permit udp dst range 16384 32767
deny ip
4) permit udp dst eq 5060 log
permit tcp dst eq 5060 log
permit tcp dst eq 5061 log
permit udp dst range 32768 61000
permit tcp dst range 32768 61000
deny ip log
I also see that your IE4k policy table is empty.
In ISE you create SGT entries and then create a security policy in the TrustSec Matrix from SGT x to SGT y.
When the IE4k knows it is protecting SGT y (by configuring a SGT mapping to SGT y) then the IE4k will download the policy defined in the matrix from x to y.
Ping me online if any clarification is needed or if you would like me to go through the ISE config.
Regards, Jonothan, jeaves@cisco.com
04-11-2016 11:27 AM
Hello Jonathon,
I had the matrix configured, but was referencing the wrong ACE (was referencing my dACL instead of my SGACL syntax). As soon as I corrected the ACE syntax to "deny ip", the permissions corrected, and the ACE was installed in the global ACL table.
I'm all good now, thx for pointing me in the right direction!
CTS policy matrix
04-11-2016 11:32 AM
BTW, if the syntax of the ACE is "deny ip any any", the permissions are FALSE and nothing gets installed in the global ACL table. If you adjust the ACE syntax to "deny ip" (removing the ANY ANY), permissions correct and all is well....
04-11-2016 11:55 AM
Yes, that is expected. "deny ip any any" is not a valid SGACL. To discover the correct syntax you can check what is available using the CLI by configuring the SGACL manually (as a test).
I'm not sure what the commands are on the IE4k as you're using pre-release code.
However, on IOS the command is 'ip access-list role-based x' and on NX-OS it is "cts role-based access-list x'. Whichever has been implemented for the IE4k, enter that configuration menu and see what's available.
Regards, Jonothan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide