ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1956
Views
8
Helpful
6
Replies
Highlighted
Cisco Employee

CTS permissions = False

Endpoint connects to a Cisco switch (that supports SGT insertion/SGACL).  Endpoint is correctly profiled, and CoA (SGT) is passed back, and the switch shows the correct SGT-IP binding.  SGACL's are config'd to by dynamic, and when doing a "show cts rbacl" the SGACLs show up (both the default permit statement + my unique SGACL ACE, but my unique ACE is not installed in the global ACL table.  When doing a  "show access-list" , the default ACE installs but my unique ACE isn't present.

Executing a "show cts role-based permissions" = FALSE.  I have the CTS role-based enforcement global command + the CTS role-based VLAN list command (as we're intending on using that).  I removed and re-added the commands just in case and refreshed the CTS policy + env, but no dice.

My assumption is that since the permissions are FALSE, the entry isn't being installed in the global ACL table.  What variables should one address to fix the permissions?  



Thx much in advance!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: CTS permissions = False

Yes, that is expected. "deny ip any any" is not a valid SGACL. To discover the correct syntax you can check what is available using the CLI by configuring the SGACL manually (as a test).

I'm not sure what the commands are on the IE4k as you're using pre-release code.

However, on IOS the command is 'ip access-list role-based x' and on NX-OS it is "cts role-based access-list x'. Whichever has been implemented for the IE4k, enter that configuration menu and see what's available.

Regards, Jonothan.

  

  

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Re: CTS permissions = False

Hi Anthony,

please let us know the product type and software version running.

Also please paste the output of "show cts role-based permissions" and relevant "sh run" commands (perhaps a "sh run | inc cts".

Thanks, Jonothan

Highlighted
Cisco Employee

Re: CTS permissions = False

Hello Jonathon,

I'm helping the IE switching team test out their new TrustSec code. Product name is the IE4K. Code = ie4000-universalk9-mz.152-5.1.36i.E.bin

Able to download the SGTs, map them fine to IP addy's, even download the appropriate SGACL, but since the permissions are FALSE, the ACE doesn't get installed in the global ACL table. Looking to see how I can fix the permissions.

I'd rather not look down the "bug path", until I try everything. The switching team looked at the IE4k switch config, which looks ok. They said "if" there was a config issue, perhaps it might be on the ISE side.

Thx for your assistance!

Highlighted
Cisco Employee

Re: CTS permissions = False

Right, so you have an early release of 15.2(5) which should support SGACL.

That being the case, I can only tell you how it's meant to work.

OK, so unless you have configured your SGACL manually via CLI, in ISE you have a SGACL configured as:

deny ip any host 10.75.1.25

permit ip any any

SGACL's should never include IP addresses. It's L4 only (apart from the catch-alls of deny ip or permit ip).

Policies are built from role/group/SGT x to role/group/SGT y and these roles/groups can reside anywhere on the customers network and can therefore be using any subnet. So, the IP addresses of the clients using these policies can be anything.

So, typical examples of SGACLs are:

1) permit ip

2) deny ip

3) permit udp dst range 16384 32767

deny ip

4) permit udp dst eq 5060 log

permit tcp dst eq 5060 log

permit tcp dst eq 5061 log

permit udp dst range 32768 61000

permit tcp dst range 32768 61000

deny ip log

I also see that your IE4k policy table is empty.

In ISE you create SGT entries and then create a security policy in the TrustSec Matrix from SGT x to SGT y.

When the IE4k knows it is protecting SGT y (by configuring a SGT mapping to SGT y) then the IE4k will download the policy defined in the matrix from x to y.

Ping me online if any clarification is needed or if you would like me to go through the ISE config.

Regards, Jonothan, jeaves@cisco.com

Highlighted
Cisco Employee

Re: CTS permissions = False

Hello Jonathon,

I had the matrix configured, but was referencing the wrong ACE (was referencing my dACL instead of my SGACL syntax). As soon as I corrected the ACE syntax to "deny ip", the permissions corrected, and the ACE was installed in the global ACL table.

I'm all good now, thx for pointing me in the right direction!

CTS policy matrix

Highlighted
Cisco Employee

Re: CTS permissions = False

BTW, if the syntax of the ACE is "deny ip any any", the permissions are FALSE and nothing gets installed in the global ACL table. If you adjust the ACE syntax to "deny ip" (removing the ANY ANY), permissions correct and all is well....

Highlighted
Cisco Employee

Re: CTS permissions = False

Yes, that is expected. "deny ip any any" is not a valid SGACL. To discover the correct syntax you can check what is available using the CLI by configuring the SGACL manually (as a test).

I'm not sure what the commands are on the IE4k as you're using pre-release code.

However, on IOS the command is 'ip access-list role-based x' and on NX-OS it is "cts role-based access-list x'. Whichever has been implemented for the IE4k, enter that configuration menu and see what's available.

Regards, Jonothan.

  

  

View solution in original post