Solved: I have some Trust Sec Questions

jideji · ‎08-15-2018

1. Under "Advanced TrustSec Settings (TrustSec Notifications and Updates)", what is the operational impact of unchecking the "Other Trustsec devices to trust this device" checkbox (which is checked by default)? Does this only need to be checked when using NDAC (with <cts dot1x> configured on switch to switch interfaces)? Also, the "Test connection" button, only does a ping from the "Send from" node not a RADIUS CoA "test".

Does this setting matter if NOT using NDAC (with <cts dot1x> between switches?

Also, if you have <cts manual> configured between switches (with the <trusted> keyword) as shown below, it would seem that the status of this checkbox would not matter (as the <trusted< keyword means that the switch should accept/honor the SGT in the packet).
interface x/y

cts manual

policy static sgt xxx trusted

Perhaps this setting has relevance in <cts manual> mode with the <policy dynamic> command (shown below)?

interface x/y

cts manual

policy dynamic

2 Under "Advanced TrustSec Settings (Device Configuration Deployment)", what is the operational impact of checking the "Include this device when deploying Security Group Tag Mappings Update" checkbox (which also then requires device credentials)? What functionality is lost by not having this enabled?

jeaves@cisco.com · ‎08-16-2018

Hi,

correct, the check box for "Other TrustSec devices to trust this device" is for 'cts dot1x' links. That is, when the devices at both ends of a link authenticate with ISE to set link attributes and bring the link up.

It is no longer recommended to use 'cts dot1x' due to the reliance on ISE for network availability so please stick with 'cts manual' unless you have a very good reason not to.

The setting doesn't matter when using 'cts manual'.

You're right in relating this to NDAC but bear in mind that NDAC is also used with 'cts manual'. The links aren't authenticated but you still want a device SGT to be downloaded to the devices.

Test connection came in with ISE 2.4. It is to test connectivity to a device from a particular PSN (which looks as if you know this). Yes, it uses ICMP, I just tested it:

09:34:18.127907 IP (tos 0x0, ttl 64, id 13254, offset 0, flags [DF], proto ICMP (1), length 84)
Kernow-ISE24 > 10.9.2.2: ICMP echo request, id 22465, seq 1, length 64
09:34:18.128802 IP (tos 0x0, ttl 253, id 13254, offset 0, flags [DF], proto ICMP (1), length 84)
10.9.2.2 > Kernow-ISE24: ICMP echo reply, id 22465, seq 1, length 64

The trust has nothing to do with 'policy dynamic'. That is purely for a feature called Identity Port Mapping (IPM):

'policy dynamic identity server1'

where server1 is the server on this port.
Identity Port Mapping defines a name for the server here (which is connected to this interface), it matches a device/AAA entry in ISE and the NDAC Network Device Authz table in ISE is used to assign a SGT.

'Include this device when deploying Security Group Tag Mappings Update' is used when adding static IP:SGT mappings. This is done under the TrustSec Components menu. If the check box isn't selected under the network device then you will not be able to add IP:SGT mappings to be sent to that device.

I think that's all the questions. Let me know if further clarification is needed.

Regards, Jonothan.

View solution in original post

jeaves@cisco.com · ‎08-16-2018

Hi,