cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1907
Views
26
Helpful
9
Replies
Highlighted
Enthusiast

Need Trustsec guidance

Who can I talk to about a Trustsec implementation? Should I open a TAC case or is there a better way to engage Cisco's team for help?

I'll try to explain how we intend to use Trustsec here.

We have wireless users with WPA2 Enterprise and MAB. ISE returns the SGT value as an attribute to the WLC upon user authentication, after looking it up in AD. We have SGACLs on the L3 switch. The SSID is configured to forward-upstream PTP.

So there isn't really any policy in ISE nor IP-SGT mappings. The IP-SGT mappings are done on the WLC and WLC needs to propagate this to the Core switches. The only policy I've created so far is NDAC, to assign the default "TrustSec_Devices" group to any network device.

So far all the documentation I've read assumes you are pushing trustsec policy from ISE. Since we are not doing that I'm thinking we don't need to configure everything in the guides. Can someone help me understand the dependencies? I'm thinking I just need SXP between WLC and switches. Do I need to add the switches in ISE? What config is necessary on the switch?

WLC is 5520 and switch is C9500.

Thanks,

Andrew

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Contributor

Re: Need Trustsec guidance

Andrew-

The WLC will pass the SGT to the Core switch, but you need to enforce the SGACL at either the Core or ASA or both.

so you will need a SXP connection to either ISE or the core.  as for the pac, you can follow these steps:

add the device to ISE and fill out the TrustSec portion in ISE (the passphrase you add in this section will be the same as you add to your radius server config)

add the cts credentials to the core device

add your RADIUS server

add the server to your RADIUS group

add the aaa commands to call your RADIUS group

add your aaa server radius dynamic-author

then to initiate the PAC, you will add the pac command instead of the key command:

ex

radius server ISE-RADIUS

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 5

no key radiuskeypassword

pac trustsecpassword

at this time you should see a CTS Request appear in your live radius logs, which will show that the PAC has been installed

verify:

show cts credentials

sh cts pac

HTH-

Vince

View solution in original post

Highlighted
Cisco Employee

Re: Need Trustsec guidance

If you enforce using SGT's on a FW then it gives you stateful inspection. SGT's and IP to group membership information is downloaded and used from ISE but FW access rules are configured as normal without downloading policy from ISE.

If you enforce using SGT's on a switch or router then it gives you stateless inspection. SGT's and IP to group membership information is downloaded and used from ISE, as well as SGACLs and policy.

There may be some useful information found in the segmentation strategy guide:

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

 

 

View solution in original post

9 REPLIES 9
Highlighted
Contributor

Re: Need Trustsec guidance

Andrew-

TrustSec is not a simple setup, you will have to find what objectives you need to meet with it.  Then you need to see if all your devices are hardware and software compatible.  There are some really good videos at   labminutes.com

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/design-guide-listing.html

1. First, the WLC will always be an SXP speaker,  and can be connected back to ISE (2.X) or a core switch via SXP

2. "We have wireless users with WPA2 Enterprise and MAB. ISE returns the SGT value as an attribute to the WLC upon user authentication, after looking it up in AD."         Do you actually have this working?

3.  How many other devices are in between the WLC and the 9500?

4.  Is there an ASA in the network that will be participating?


on a different note, you could use ISE to make users in different groups connect to different SSIDs, then get an ACL pushed down that controls the access on each Wireless LAN



HTH-


Vince

Highlighted
Enthusiast

Re: Need Trustsec guidance

Hi Vince,

Thank you for the response. I appreciate that TrustSec is not a simple setup. I've been reading up on the design guides but didn't know about the labminutes videos so I will check them out. But again, we are not pushing the policy/matrix/SGACLs from ISE (for User-User traffic) and it seems the guides are mainly geared toward that solution.

We are not creating the groups and policy in ISE because we have thousands of groups in this deployment. Its a residential community where each residence is its own group. The project is still in the design/testing phase.

1. It appears we have SXP working between WLC and switch but I'm not sure if its needed. For example if the WLC sends a packet tagged with SGTs and the Switch trusts the WLC because its in the TrustSec domain, does the WLC need to pass IP-SGT mapping to the switch? Either way, I'm not having luck getting the switch to download the PAC and environment data from ISE, maybe the labminutes will help me there.

2. Yes it appears to be working, at least the Cisco AVpair is being returned. I can't take credit for that solution but for privacy reasons can't give credit either .

3. The WLC is directly connected to the Cat9500.

4. Yes there is an ASA at the internet edge.

Thank you for your help!

Andrew

Highlighted
Contributor

Re: Need Trustsec guidance

Andrew-

The WLC will pass the SGT to the Core switch, but you need to enforce the SGACL at either the Core or ASA or both.

so you will need a SXP connection to either ISE or the core.  as for the pac, you can follow these steps:

add the device to ISE and fill out the TrustSec portion in ISE (the passphrase you add in this section will be the same as you add to your radius server config)

add the cts credentials to the core device

add your RADIUS server

add the server to your RADIUS group

add the aaa commands to call your RADIUS group

add your aaa server radius dynamic-author

then to initiate the PAC, you will add the pac command instead of the key command:

ex

radius server ISE-RADIUS

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 5

no key radiuskeypassword

pac trustsecpassword

at this time you should see a CTS Request appear in your live radius logs, which will show that the PAC has been installed

verify:

show cts credentials

sh cts pac

HTH-

Vince

View solution in original post

Highlighted
Enthusiast

Re: Need Trustsec guidance

Vince, thanks for your help! It appears to be working, I've got the PAC and environment data. I was missing some RADIUS config.

Thanks again!

Andrew

Highlighted

Re: Need Trustsec guidance

Hi Vince,
In your item 4 (4. Is there an ASA in the network that will be participating?), Can i implement trust sec without an ASA? I do have though ISE and implemented BYOD and Guest . Thanks in advance!
Highlighted
VIP Advisor

Re: Need Trustsec guidance

Hi @techmgr.aballesteros1
You can implement trustsec without an ASA. It depends what you want to achieve? You have the ability to enable SGT Enforcement on multiple compatible Cisco products including a WLC, which might fit in your scenario. You can enable enforcement on compatible cisco routers or switches, which might be an alternative if you don't have an ASA.

 

The following TrustSec links are very useful when designing a solution:-

TrustSec Platform matrix, list the platform and whether enforcement is supported.

TrustSec System bulletin includes useful information regarding scalability.

 

HTH

Highlighted

Re: Need Trustsec guidance

Thanks RJI - I think that would be my viable option to implem with Sw and Rtr. With what I want to achieve? I would implem it as part of network segmentation. Forgive my limited knowledge so far with TrustSec but would that cover my requirements for network segmentation? Would there be any limitation without the participation of an ASA?

Highlighted
Cisco Employee

Re: Need Trustsec guidance

If you enforce using SGT's on a FW then it gives you stateful inspection. SGT's and IP to group membership information is downloaded and used from ISE but FW access rules are configured as normal without downloading policy from ISE.

If you enforce using SGT's on a switch or router then it gives you stateless inspection. SGT's and IP to group membership information is downloaded and used from ISE, as well as SGACLs and policy.

There may be some useful information found in the segmentation strategy guide:

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

 

 

View solution in original post

Highlighted

Re: Need Trustsec guidance

Thanks for the very important infos - i'll get back to how i get along with all the plannings!