Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5482
Views
26
Helpful
9
Replies

Need Trustsec guidance

Go to solution
andypenning
Level 4
Level 4

‎01-29-2018 08:59 AM - edited ‎03-11-2019 01:19 AM

Who can I talk to about a Trustsec implementation? Should I open a TAC case or is there a better way to engage Cisco's team for help?

I'll try to explain how we intend to use Trustsec here.

We have wireless users with WPA2 Enterprise and MAB. ISE returns the SGT value as an attribute to the WLC upon user authentication, after looking it up in AD. We have SGACLs on the L3 switch. The SSID is configured to forward-upstream PTP.

So there isn't really any policy in ISE nor IP-SGT mappings. The IP-SGT mappings are done on the WLC and WLC needs to propagate this to the Core switches. The only policy I've created so far is NDAC, to assign the default "TrustSec_Devices" group to any network device.

So far all the documentation I've read assumes you are pushing trustsec policy from ISE. Since we are not doing that I'm thinking we don't need to configure everything in the guides. Can someone help me understand the dependencies? I'm thinking I just need SXP between WLC and switches. Do I need to add the switches in ISE? What config is necessary on the switch?

WLC is 5520 and switch is C9500.

Thanks,

Andrew

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
vrostowsky
Level 5
Level 5
In response to andypenning

‎02-01-2018 04:24 AM

Andrew-

The WLC will pass the SGT to the Core switch, but you need to enforce the SGACL at either the Core or ASA or both.

so you will need a SXP connection to either ISE or the core.  as for the pac, you can follow these steps:

add the device to ISE and fill out the TrustSec portion in ISE (the passphrase you add in this section will be the same as you add to your radius server config)

add the cts credentials to the core device

add your RADIUS server

add the server to your RADIUS group

add the aaa commands to call your RADIUS group

add your aaa server radius dynamic-author

then to initiate the PAC, you will add the pac command instead of the key command:

ex

radius server ISE-RADIUS

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 5

no key radiuskeypassword

pac trustsecpassword

at this time you should see a CTS Request appear in your live radius logs, which will show that the PAC has been installed

verify:

show cts credentials

sh cts pac

HTH-

Vince

View solution in original post

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to techmgr.aballesteros1

‎01-21-2019 02:56 AM

If you enforce using SGT's on a FW then it gives you stateful inspection. SGT's and IP to group membership information is downloaded and used from ISE but FW access rules are configured as normal without downloading policy from ISE.

If you enforce using SGT's on a switch or router then it gives you stateless inspection. SGT's and IP to group membership information is downloaded and used from ISE, as well as SGACLs and policy.

There may be some useful information found in the segmentation strategy guide:

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

 

 

View solution in original post

9 Replies 9

Go to solution
vrostowsky
Level 5
Level 5

‎01-31-2018 02:52 PM

Andrew-

TrustSec is not a simple setup, you will have to find what objectives you need to meet with it.  Then you need to see if all your devices are hardware and software compatible.  There are some really good videos at   labminutes.com

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/design-guide-listing.html

1. First, the WLC will always be an SXP speaker,  and can be connected back to ISE (2.X) or a core switch via SXP

2. "We have wireless users with WPA2 Enterprise and MAB. ISE returns the SGT value as an attribute to the WLC upon user authentication, after looking it up in AD."         Do you actually have this working?

3.  How many other devices are in between the WLC and the 9500?

4.  Is there an ASA in the network that will be participating?


on a different note, you could use ISE to make users in different groups connect to different SSIDs, then get an ACL pushed down that controls the access on each Wireless LAN



HTH-


Vince

Go to solution
andypenning
Level 4
Level 4
In response to vrostowsky

‎01-31-2018 03:33 PM

Hi Vince,

Thank you for the response. I appreciate that TrustSec is not a simple setup. I've been reading up on the design guides but didn't know about the labminutes videos so I will check them out. But again, we are not pushing the policy/matrix/SGACLs from ISE (for User-User traffic) and it seems the guides are mainly geared toward that solution.

We are not creating the groups and policy in ISE because we have thousands of groups in this deployment. Its a residential community where each residence is its own group. The project is still in the design/testing phase.

1. It appears we have SXP working between WLC and switch but I'm not sure if its needed. For example if the WLC sends a packet tagged with SGTs and the Switch trusts the WLC because its in the TrustSec domain, does the WLC need to pass IP-SGT mapping to the switch? Either way, I'm not having luck getting the switch to download the PAC and environment data from ISE, maybe the labminutes will help me there.

2. Yes it appears to be working, at least the Cisco AVpair is being returned. I can't take credit for that solution but for privacy reasons can't give credit either .

3. The WLC is directly connected to the Cat9500.

4. Yes there is an ASA at the internet edge.

Thank you for your help!

Andrew

Go to solution
vrostowsky
Level 5
Level 5
In response to andypenning

‎02-01-2018 04:24 AM

Andrew-

The WLC will pass the SGT to the Core switch, but you need to enforce the SGACL at either the Core or ASA or both.

so you will need a SXP connection to either ISE or the core.  as for the pac, you can follow these steps:

add the device to ISE and fill out the TrustSec portion in ISE (the passphrase you add in this section will be the same as you add to your radius server config)

add the cts credentials to the core device

add your RADIUS server

add the server to your RADIUS group

add the aaa commands to call your RADIUS group

add your aaa server radius dynamic-author

then to initiate the PAC, you will add the pac command instead of the key command:

ex

radius server ISE-RADIUS

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 5

no key radiuskeypassword

pac trustsecpassword

at this time you should see a CTS Request appear in your live radius logs, which will show that the PAC has been installed

verify:

show cts credentials

sh cts pac

HTH-

Vince

Go to solution
andypenning
Level 4
Level 4
In response to vrostowsky

‎02-01-2018 09:03 AM

Vince, thanks for your help! It appears to be working, I've got the PAC and environment data. I was missing some RADIUS config.

Thanks again!

Andrew

Go to solution
techmgr.aballesteros1
Level 1
Level 1
In response to vrostowsky

‎01-18-2019 10:47 PM

Hi Vince,
In your item 4 (4. Is there an ASA in the network that will be participating?), Can i implement trust sec without an ASA? I do have though ISE and implemented BYOD and Guest . Thanks in advance!
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to techmgr.aballesteros1

‎01-19-2019 01:55 AM

Hi @techmgr.aballesteros1
You can implement trustsec without an ASA. It depends what you want to achieve? You have the ability to enable SGT Enforcement on multiple compatible Cisco products including a WLC, which might fit in your scenario. You can enable enforcement on compatible cisco routers or switches, which might be an alternative if you don't have an ASA.

 

The following TrustSec links are very useful when designing a solution:-

TrustSec Platform matrix, list the platform and whether enforcement is supported.

TrustSec System bulletin includes useful information regarding scalability.

 

HTH

Go to solution
techmgr.aballesteros1
Level 1
Level 1
In response to Rob Ingram

‎01-20-2019 03:49 PM

Thanks RJI - I think that would be my viable option to implem with Sw and Rtr. With what I want to achieve? I would implem it as part of network segmentation. Forgive my limited knowledge so far with TrustSec but would that cover my requirements for network segmentation? Would there be any limitation without the participation of an ASA?

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to techmgr.aballesteros1

‎01-21-2019 02:56 AM

If you enforce using SGT's on a FW then it gives you stateful inspection. SGT's and IP to group membership information is downloaded and used from ISE but FW access rules are configured as normal without downloading policy from ISE.

If you enforce using SGT's on a switch or router then it gives you stateless inspection. SGT's and IP to group membership information is downloaded and used from ISE, as well as SGACLs and policy.

There may be some useful information found in the segmentation strategy guide:

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

 

 

Go to solution
techmgr.aballesteros1
Level 1
Level 1
In response to jeaves@cisco.com

‎01-21-2019 03:09 PM

Thanks for the very important infos - i'll get back to how i get along with all the plannings!
0 Helpful
Customers Also Viewed These Support Documents