Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
1
Helpful
4
Replies

Cisco ISE 3.2 Patch4 Trustsec laboratory Allowed List (Default Deny)

ifabrizio
Level 3
Level 3

‎02-13-2024 01:01 AM

Dear All,

I have setup a trustetsec laboratory, composed by a ISE 3.2 patch4 with Premiere license, connected to cisco 9500, that has two links one connected to a 9300 (with network-advantage license), the other link is connected to a 4500 sup8. I have connected two PC one one the 9300 and the other on the 4500.

The PC classification is done with cts manual policy, but will be changed with Dot1x auth and ISE's SGT group on the Authorization rule.

I have in the trustsec policy matrix the Default action Permit, so I go to deny the traffic on the two test PC, and all works as expected.

Now I ' d like to change the trustsec policy model from the Blocked list (Default Action Permit) to Allowed List(Default Action Deny), I found some example in cisco web site, that to do it, use the ISE, but also the DNAC or DNA.

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/215516-trustsec-whitelist-model-with-sda.html

My question is: Is possible to setup the Allowed List model without use DNAC or DNA?

Best regards,

JF.

 

 

 

Labels:
0 Helpful
4 Replies 4

ifabrizio
Level 3
Level 3

‎02-14-2024 01:57 AM

Dear All,

I have some additional information, about the steps needed to change from the Blocked list (Default Action Permit) to Allowed List(Default Action Deny) model.

I think that I know why if I try to change the Default action to Deny, I lost all communication.

If I go on one of test lab switches and issue the command,

sh cts role-based permissions

IPv4 Role-based permissions default:

        Permit IP-00     ß-----------------------------------------------------First policy Default!!!!!!!!!!!!!!!

IPv4 Role-based permissions from group Unknown to group Unknown:

        Permit IP-00

IPv4 Role-based permissions from group 2:TrustSec_Devices to group Unknown:

        Permit IP-00

IPv4 Role-based permissions from group 3:Network_Services to group Unknown:

        Permit IP-00

IPv4 Role-based permissions from group 13:Test_Servers to group Unknown:

        Permit IP-00

IPv4 Role-based permissions from group 16:TRUSTSEC_LAB_DEV1 to group Unknown:

        Permit IP-00

IPv4 Role-based permissions from group 17:TRUSTSEC_LAB_DEV2 to group Unknown:

        Permit IP-00

IPv4 Role-based permissions from group 1000:NAD_Interfaces to group Unknown:

        Permit IP-00

IPv4 Role-based permissions from group Unknown to group 2:TrustSec_Devices:

        Permit IP-00

IPv4 Role-based permissions from group 2:TrustSec_Devices to group 2:TrustSec_Devices:

        Permit IP-00

IPv4 Role-based permissions from group Unknown to group 17:TRUSTSEC_LAB_DEV2:

        Permit IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

As you see the first policy is the default action, so If I set it to Deny all other policy are not executed.

I have tryed to configure a Fallback policy as depicted in the link that I have posted above, but the fallback policy that should permit traffic also if there is a default action set to deny are low priority respect the polucy downloaded by ISE:

sh cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group Unknown to group Unknown:
Permit IP-00
IPv4 Role-based permissions from group 2:TrustSec_Devices to group Unknown:
Permit IP-00
IPv4 Role-based permissions from group 3:Network_Services to group Unknown:
Permit IP-00
IPv4 Role-based permissions from group 13:Test_Servers to group Unknown:
Permit IP-00
IPv4 Role-based permissions from group 16:TRUSTSEC_LAB_DEV1 to group Unknown:
Permit IP-00
IPv4 Role-based permissions from group 17:TRUSTSEC_LAB_DEV2 to group Unknown:
Permit IP-00
IPv4 Role-based permissions from group 1000:NAD_Interfaces to group Unknown:
Permit IP-00
IPv4 Role-based permissions from group Unknown to group 2:TrustSec_Devices:
Permit IP-00
IPv4 Role-based permissions from group 2:TrustSec_Devices to group 2:TrustSec_Devices:
Permit IP-00
IPv4 Role-based permissions from group 1000:Basic_Network_Services to group 2:TrustSec_Devices (configured):
FallBackPolicy
IPv4 Role-based permissions from group Unknown to group 17:TRUSTSEC_LAB_DEV2:
Permit IP-00
IPv4 Role-based permissions from group 2:TrustSec_Devices to group 1000:Basic_Network_Services (configured):
FallBackPolicy
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

cts role-based permissions from 2 to 2 FallBackPolicy
cts role-based permissions from 1000 to 2 FallBackPolicy
cts role-based permissions from 2 to 1000 FallBackPolicy

My question is: I need to change the priority order, giving more priority to the static cts roule and less priority to the dynamic roules with this command:

cts role-based policy priority-static <- prioritize the static policy over the Dynamic

Best regards,

JF

 

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎02-14-2024 09:09 AM

Did you allow the traffic between the network devices SGT in the security matrix? not sure why we would need to configure a fallback manual SGACL. The way how I would do it would be to set the permit action in the security matrix for the SGTs that need to talk to each other. Also, I think TrustSec SGACLs are not stateful, so if you allow something in one way, I think you would need to allow it the other way.

ifabrizio
Level 3
Level 3
In response to Aref Alsouqi

‎02-27-2024 01:21 AM

Hi Aref,

I did some tests to see if the FALLBACK Policy was necessary to make the Trustsec matrix work with the default action set to Deny.

The answer appears to be yes.

Without the fallback policy, which involves configuring some policies directly on the switches, placing Deny as the default action in the Trustsec matrix, Radius communication with the ISE nosodes is blocked.

It also allows you to operate on the networks specified in the policies configured on the switches if you were to lose the ISE Nodes.

Bye,

JF

0 Helpful

ifabrizio
Level 3
Level 3

‎02-14-2024 11:59 PM

Hi Aref,

Thank you for your reply.

Yes I have permitted the traffic between the network device SGT tag 02.

But how these Network device knows that belongs to the Network devices group? Maybe the ISE assign this group to all configured NADs?

Anyway I think that the main problem is that the Default action is at the top of the other cts policy, so it it set to Deny, the others policy is not execute. It is correct?

Finally the Tag to be assigned to the NADs links, should be a dedicated tag? such for example 900, or should be the tag 02?

Bye,

JF

0 Helpful
Customers Also Viewed These Support Documents