Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
1
Replies

Stop NAD from talking to ISE via CTS without removing 'cts manual'

Go to solution
Josh Morris
Level 3
Level 3

‎01-24-2023 01:14 PM

I'm migrating from an OLD to NEW ISE environment. Part of the move is to start over on TrustSec. It's never really worked anyway. I have a switch with the following TrustSec config that is hammering NEW ISE with CTS requests, but I have Trustsec disabled in the endpoint. I don't want to mess with the 'cts manual' commands because these commands are on a port-channel and would require me bringing the port-channel down to remove. Can I disable CTS by removing the other commands but leaving 'cts manual'?

 

SWITCH#show run | sec cts
aaa authorization network cts-list group ISE_RADIUS 
cts cache enable
cts cache nv-storage bootflash:
cts authorization list cts-list
cts critical-authentication fallback Cached
cts role-based enforcement vlan-list 1-4094
 cts manual 
  policy static sgt 2 trusted
 cts manual 
  policy static sgt 2 trusted

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dalbanil
Cisco Employee
Cisco Employee

‎01-24-2023 01:55 PM

Hello Josh, yes, you can proceed, Trustsec has multiple pieces, and as you may know, one of them is "Propagation", the cts manual commands configured on your interfaces is to allow your device to propagate the packets tagged with the SGTs to other devices, like your next switch, this process is called, inline tagging, you can read more about this in the following doc: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-9/configuration_guide/cts/b_169_cts_9400_cg/b_169_cts_9400_cg_chapter_01010.pdf

So in conclusion, removing the other cts commands won't affect your in-line tagging configuration on the interface.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
dalbanil
Cisco Employee
Cisco Employee

‎01-24-2023 01:55 PM

Hello Josh, yes, you can proceed, Trustsec has multiple pieces, and as you may know, one of them is "Propagation", the cts manual commands configured on your interfaces is to allow your device to propagate the packets tagged with the SGTs to other devices, like your next switch, this process is called, inline tagging, you can read more about this in the following doc: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-9/configuration_guide/cts/b_169_cts_9400_cg/b_169_cts_9400_cg_chapter_01010.pdf

So in conclusion, removing the other cts commands won't affect your in-line tagging configuration on the interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents