Implementing Inline SGT (no SXP) Using ISE 2.4 and Cisco catalyst switch 3650 (IOS-XE 3.6.8E)

snehalachandgude1 · ‎07-12-2018

I am trying to implement the Role-based access control (using security tags) for users connecting to the domain. NDAC, Security groups and SGACLs are configured on ISE.

Switch is successfully communicating with Cisco ISE as radius server as well as CTS policy server. PAC is also visible on switch under “show cts pacs” command output. Environment data is getting downloaded on switch through PAC communication.

But issue occurs while downloading SGACLs (peer policy). Throwing below error on ISE.

5421 TrustSec Peer Policy Download Failed

Rob Ingram · ‎07-12-2018

Hi, what is the configuration of the SGACLs? Usually I've found if the syntax in an SGACL was incorrect it would not download anything.

snehalachandgude1 · ‎07-12-2018

Hi, Initially I have kept it simple for testing purpose. I have only 3 ACLs

1. permit ip

2. deny ip

3. permit tcp any host <ip address>

Rob Ingram · ‎07-14-2018

So I assume if you run "show cts role-based permissions" you are not seeing any of the RBACLs?

Can you disable enforcement "no cts role-based enforcement", turn on debug "debug cts all" then enable enforcement "cts role-based enforcement". Copy ALL of the output of the debug after turning on enforcement and upload here.

Can you also screenshot your matrix page and upload and the ISE log section for the #CTSREQUEST# - they should be green if successful, if red please screenshot the errors inside.

snehalachandgude1 · ‎07-13-2018

What should be the configuration on 'switch' and 'switch interface' for user authentication/authorisation as well as for receiving CTS SGT and SGACLs? As CTS and Dot1x commands are not working simultaneously on interface.

Rob Ingram · ‎07-14-2018

Are you referring to the interface configuration for inline tagging? The command on the interface would be "cts manual".