Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
10
Helpful
6
Replies

SXP between 3850 & ASA

Go to solution
saurabhdhakate007
Level 1
Level 1

‎01-11-2019 08:54 AM

Hi ,  I have a question  regarding CTS SXP in ISE . If I do automatic PAC provisioning in a 3850 series switch and import PAC on ASA as well . I am configuring DHCP on switch for Dot1x and MAB authenticated endpoints. I am configuring SGACL on ASA to block undesired traffic with the help of security tags. Do I need to run SXP service in between them so that ASA filters the traffic based on the SGACL configured on it? 

Switch Model: WS-C3850-24U 03.07.04E

ASA Model: 5512-X: 9.2(2)4

ISE 2.1 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
umahar
Cisco Employee
Cisco Employee

‎01-11-2019 09:39 AM

You need to propagate tags so that traffic from the switch hits the correct rule on ASA.

It can be inline SGT or SXP (which is easier).

You can also explore running SXP directly from ISE to ASA which is more common these days as you will only need one SXP connection from ASA rather than multiple SXP connections to multiple access switches. 

View solution in original post

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-11-2019 09:49 AM

TrustSec works on the basis that you either need to carry the SGT inline anywhere the packet goes, similar to how a vlan tag works on trunks, or you have to bridge gaps with SXP.

When you authenticate the endpoint on the 3850, ISE will send down the SGT for the endpoint traffic based on authorization result. When traffic egresses an uplink configured for CTS, the tag will be appended in the header and carried to the next device (another switch/router/or ASA). When you have segments that are not capable of inline tagging such as a WAN, you then need an overlay like DMVPN to carry the tag for you.

The other option you alluded to is using SXP. Assuming the ASA and 3850 are not connected by CTS capable links, you can then send SGT to IP mappings via SXP. There are two options here, the first can be accomplished by configuring ISE as an SXP speaker to the ASA (the ASA will then know all of the TAG ISE has been handing out). The second can be to configured SXP directly between the 3850 and ASA, the 3850 will send the ASA any tags it knows.

Inline tagging is definitely preferred, and SXP works well but has scaling limitations in the large deployments.
TLDR, you need to get the SGT's to the ASA either via inline tagging(cts manual on traffic path) or SXP.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to saurabhdhakate007

‎01-13-2019 05:43 AM

Hi,

In the output of your configuration, you are referencing a method list called ISE for the cts authorization, but you only have the default method list defined.

 

aaa authorization network default group ISE
cts authorization list ISE

 

As per guide here you need to add an additional method list called ISE.

 

aaa authorization network ISE group ISE

 

HTH

View solution in original post

0 Helpful
6 Replies 6

Go to solution
umahar
Cisco Employee
Cisco Employee

‎01-11-2019 09:39 AM

You need to propagate tags so that traffic from the switch hits the correct rule on ASA.

It can be inline SGT or SXP (which is easier).

You can also explore running SXP directly from ISE to ASA which is more common these days as you will only need one SXP connection from ASA rather than multiple SXP connections to multiple access switches. 

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-11-2019 09:49 AM

TrustSec works on the basis that you either need to carry the SGT inline anywhere the packet goes, similar to how a vlan tag works on trunks, or you have to bridge gaps with SXP.

When you authenticate the endpoint on the 3850, ISE will send down the SGT for the endpoint traffic based on authorization result. When traffic egresses an uplink configured for CTS, the tag will be appended in the header and carried to the next device (another switch/router/or ASA). When you have segments that are not capable of inline tagging such as a WAN, you then need an overlay like DMVPN to carry the tag for you.

The other option you alluded to is using SXP. Assuming the ASA and 3850 are not connected by CTS capable links, you can then send SGT to IP mappings via SXP. There are two options here, the first can be accomplished by configuring ISE as an SXP speaker to the ASA (the ASA will then know all of the TAG ISE has been handing out). The second can be to configured SXP directly between the 3850 and ASA, the 3850 will send the ASA any tags it knows.

Inline tagging is definitely preferred, and SXP works well but has scaling limitations in the large deployments.
TLDR, you need to get the SGT's to the ASA either via inline tagging(cts manual on traffic path) or SXP.

Go to solution
saurabhdhakate007
Level 1
Level 1
In response to Damien Miller

‎01-12-2019 10:08 PM - edited ‎01-12-2019 10:12 PM

So now when I try to perform Automatic PAC Provisioning , I could see pac on the switch but it just cannot be refreshed. I have tried enabling debugging environment-data . What might be the reason behind not getting refreshed environment data?

Preview file
5 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to saurabhdhakate007

‎01-13-2019 05:43 AM

Hi,

In the output of your configuration, you are referencing a method list called ISE for the cts authorization, but you only have the default method list defined.

 

aaa authorization network default group ISE
cts authorization list ISE

 

As per guide here you need to add an additional method list called ISE.

 

aaa authorization network ISE group ISE

 

HTH

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to saurabhdhakate007

‎01-13-2019 12:44 PM

see my earlier post i have write all the config for you.

please do not forget to rate.
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎01-11-2019 09:56 AM

here what you need

 

 

ASA1
!
aaa-server ISE protocol radius
aaa-server ISE (mgmt) 192.168.1.1  (ISE ADDRESS)
 key cisco
!
cts group-server ISE
cts tftp://192.168.1.X/ASA1.pac password ciscocisco  (THIS IS THE FILE YOU GENERATE ON ISE AND TRANSFER TO TO YOU PC- THAN PC TO ASA)
cts sxp enable
cts sxp default password test123
cts sxp default source-ip 192.168.1.254   (ASA mgmt ip address)
cts sxp connection peer 192.168.1.253 source 192.168.1.254 default password mode listen
!
write me
===========
SWITCH-3850
!
aaa new-model
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network ISE default group ISE
aaa accounting dot1x default start-stop group ISE
aaa group server radius ISE
 server name CISCO
aaa server radius dynamic-author
 client 192.168.1.1 server-key cisco
radius server CISCO
 address ipv4 192.168.1.1 authport 1812 acct-port 1813
 pac key cisco
!
radius-server attributes 6 on
radius-server attributes 8
radius-server attributes 25
radius-server vsa send auth
radius-server vsa send account
!
dot1x system-auth
!
ip radius source interface vlan XX   (MAKE SURE SAME IP ADDRESS IN ISE NETWORK DEVIVES)
!
cts authorization list ISE
cts sxp enable
cts sxp default password test123
cts sxp default source-ip 192.168.1.253   (VLAN IP address)
cts sxp connection peer 192.168.1.254 source 192.168.1.253 default password mode speaker
!
cts credentials id SWITCH-3850 password cisco (THIS IS THE PASSWORD IN NETWORK DEVICE)
!
!after two min later
!
show cts pacs

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents