Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2478
Views
0
Helpful
5
Replies

TrustSec deployment without 802.1x

Go to solution
awatson20
Level 4
Level 4

‎04-02-2020 08:09 AM

We are looking into TrustSec at a high level for network segmentation purposes.  Is it possible to deploy Trustsec without doing 802.1x on the layer 2 devices?  Could it be used to deploy SGACLS and TAGS to layer 3 routers for segmentation without authenticating clients and doing dot1x on the switch ports?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to awatson20

‎04-05-2020 08:06 AM

> prevent endpoints in SGT-1 from communicating with endpoints in SGT-2

This is simple and addressed in the TrustSec matrix by assigning Deny IP between the two tags :

image.png

 

> We would want to push the SGACL from ISE to the routers at these branch offices.

You need to ensure your network devices are registered in ISE as TrustSec network devices in order to receive the SGT and SGACL updates you provisioned above.

image.png

 

> you would still have to authenticate the devices using MAB auth in ISE?

Yes, unless you want to do static classification by VLAN/subnet/IP which would not involve ISE but CLI configuration on each of your network access devices. Here are your options:

image.png

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-02-2020 04:17 PM

You may assign Scalable Group Tags (SGTs) using any authorization rule in ISE, regardless of mechanics of the authentication. Since you mention Layer-2, your options would be 802.1X or MAC Authentication Bypass (MAB), so MAB it is! This would be most common for non-authenticating devices that you profile or put into a static endpoint group (printers, cameras, etc.) or with every new Guest (until they complete the appropriate guest flow) or otherwise Unknown devices that fall through and hit the Default.

I suggest reading http://cs.co/ise-resources#Segmentation > Campus / Branch Segmentation Design Guide. This should cover the full details of what is needed for Classification (assign SGT) at the edge and Propagating the information to your routers for Enforcement.

0 Helpful

Go to solution
awatson20
Level 4
Level 4
In response to thomas

‎04-03-2020 05:12 AM

A scenario we are looking at is to prevent endpoints in SGT-1 from
communicating with endpoints in SGT-2. We would want to push the SGACL
from ISE to the routers at these branch offices. If I understand what you
are saying, you would still have to authenticate the devices using MAB auth
in ISE?
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to awatson20

‎04-05-2020 08:06 AM

> prevent endpoints in SGT-1 from communicating with endpoints in SGT-2

This is simple and addressed in the TrustSec matrix by assigning Deny IP between the two tags :

image.png

 

> We would want to push the SGACL from ISE to the routers at these branch offices.

You need to ensure your network devices are registered in ISE as TrustSec network devices in order to receive the SGT and SGACL updates you provisioned above.

image.png

 

> you would still have to authenticate the devices using MAB auth in ISE?

Yes, unless you want to do static classification by VLAN/subnet/IP which would not involve ISE but CLI configuration on each of your network access devices. Here are your options:

image.png

 

0 Helpful

Go to solution
awatson20
Level 4
Level 4
In response to thomas

‎04-05-2020 09:50 AM

Thanks for the info.
 
Yes, unless you want to do static classification by VLAN/subnet/IP which would not involve ISE but CLI configuration on each of your network access devices. Here are your options:

 

In regards to “static classification by vlan/subnet without ISE, are you saying ISE is still involved as far as the SGT/SGACL to the routers, just not from an authentication standpoint, or that ISE would not be used at all in that scenario?  Can you still deploy the SGT/SGACL from ISE to the layer 3 network devices, without having to configure 802.1X down the switchport?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to awatson20

‎04-06-2020 04:36 PM

It is possible to use TrustSec without authenticating/authorising the endpoints at the access layer, but this makes for a much less dynamic environment.

There are different types of Static Classification available for TrustSec, including:

  1. Static IP- or Subnet-SGT mappings configured in ISE and pushed to the network device performing Enforcement via SGACL.
  2. Static VLAN-SGT, Port-SGT, IP-SGT, Subnet-SGT, L3IF-SGT bindings configured on the network device; these cannot be configured/managed by ISE.

SGACLs can be configured manually on the network device or pushed by ISE, depending on the device platform capabilities. Keep in mind that the Enforcement point must know the IP- or Subnet-SGT mappings for both the Source and Destination to apply the SGACL or SGFW controls.

Also be aware that you may need to use SGFW (via Zone-Based Policy Firewall) if your router platform does not support SGACL. See the current TrustSec Platform Capability Matrix  for more info.

 

There is a vast amount of information and caveats that need to be understood when designing/deploying TrustSec, so I would recommend viewing the following CiscoLive presentations:

Software-Defined Access Controls and Segmentation for Enterprise and Cloud - BRKSEC-2203

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents