TrustSec on Wireless

leighharrison · ‎09-02-2020

Hello all,

We're labbing up TrustSec over wireless before pushing a wider implementation out and we're hitting a few teething issues with it. We've got ISE set up to push tags to users based on their AD grouping, which is exactly what we're after, and when the devices log into the wireless we can see their tag's associated with their clients in the WLC.

The issue I'm running into is that the WLC pays no attention to the ISE's static tag mappings and only downloads a subset of the policy rules. so when I have, say, a laptop with a tag of 10, trying to talk to a server in the LAN with a tag of 20, the rule for traffic one way is downloaded, but the traffic doesn't know that the server has a tag of 20 and the traffic hits a default 10 to "any" in the policy.

How do I get the WLC to download the static mappings? What have I missed? This is going to be staged rollout and we'll not be able to put TrustSec on all devices in the path.

Just to add - I've got my 2 ISE servers both set up in SXP to get the tags from ISE.

Best, Leigh

Greg Gibbs · ‎09-02-2020

The scenario is a bit vague, but it sounds like you are trying to perform SGACL enforcement on the AP/WLC closest to the source of the traffic. This is not how TrustSec is designed and breaks the entire scalability model behind TrustSec. Unlike traditional ACLs, TrustSec uses SGACL enforcement closest to the destination of the traffic. The enforcement point needs to know both the Source and Destination SGT of the traffic. For Wireless, the classification of the S-SGT is typically done dynamically via ISE policy and the classification of the destination D-SGT (e.g. a server in the DC) is done by static IP-SGT mappings configured in ISE and pushed to the enforcement point (e.g. a DC edge switch).

Review some of the examples in the Segmentation section of the Community. There are also some good sessions on TrustSec in the on-demand library on https://ciscolive.com.

leighharrison · ‎09-03-2020

Hi Greg,

Thanks for the response and the links, I'll run through them. I'll try and clear up the vaguery:

I've got TrustSec set up, with ISE in as an SXP reference and the relevant SGACL's downloaded for the groups I've got users attached to in the WLC. We've built it within a set of test switches and all works well.

The issue I've got is that when I packet arrived from the network, without a tag, I'm expecting the IP-SGT mappings to kick in and give the source it's relevant tag so it hits the right rule in the SGACL's. But I'm not getting that. All traffic in from the network is set to a tag of 0 and is hitting rules for the "unknown" group, rather than getting it's tag and hitting the right rule.

Question I have is: does the WLC not take a copy of the IP-SGT mappings like the switches do?

Best, Leigh

Greg Gibbs · ‎09-03-2020

Sorry, but it's still not entirely clear. I'm not sure what you mean by 'SXP reference' or where the packet is arriving without a tag. Maybe a diagram would help illustrate what you're trying to do.

If you're talking about a flow like Wireless Client -> DC edge switch and enforcing an SGACL on the switch, the switch would need to learn the S-SGT (tag Propagation) from either inline tagging or via SXP (Listener) either directly from the WLC (Speaker) or ISE (Speaker). Be aware that SXP does not scale well in extremely large/complex environments, so inline tagging should be used wherever possible. See this Bulletin for scaling info on various switching platforms.

If you're talking about SGACL enforcement on the Wireless Client side for 'east-west' microsegmentation or 'north-south' DC -> Client traffic, it should be noted that this happens on the AP itself (not the WLC) and both the WLC and AP must support SGACL enforcement as per the Bulletin linked above. The WLC only supports the SXP Speaker function, so the AP doing the enforcement would need to learn about the S-SGT via inline tagging (or dynamically via ISE policy for east-west microseg between wireless clients).