04-25-2019 05:25 AM
Hello,
I am deploying software-defined access for a customer and i have trouble with the trustsec configuration.
The issue is that the DNA center did not push cts configuration to fabric switches. As a result there are a ton of "CTSREQUEST failed" radius logs in ISE, and we won't be able to push segmentation policies.
Maybe someone can clarify whether the cts configuration is supposed to be pushed by the DNA center or if we are supposed to do it manually ?
If the DNA center is supposed to do it, at which stage does it do so (discovery, provisioning, add to fabric )?
Thank you in advance,
Best regards.
04-25-2019 05:44 AM
04-25-2019 09:42 AM
There are two steps:
1. When you assign devices to Site in DNAC, the network devices are populated into ISE
2. When you provision devices in DNAC, switches will receive all the respective AAA / radius config
Example config for step2:
!exec: enable
ip tacacs source-interface Loopback0
ip radius source-interface Loopback0
aaa new-model
ip http server
ip http authentication local
ip http max-connections 16
ip http secure-server
ip access-list extended ACL_WEBAUTH_REDIRECT
30 permit tcp any any eq www
40 permit tcp any any eq 443
50 permit tcp any any eq 8443
20 deny ip any host 10.168.124.5
60 deny udp any any eq domain
70 deny udp any eq bootpc any eq bootps
exit
aaa session-id common
aaa group server radius dnac-client-radius-group
server name dnac-radius_10.168.124.5
ip radius source-interface Loopback 0
exit
aaa group server radius dnac-network-radius-group
server name dnac-radius_10.168.124.5
ip radius source-interface Loopback 0
exit
aaa accounting identity default start-stop group dnac-client-radius-group
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group dnac-network-radius-group
aaa authorization network dnac-cts-list group dnac-client-radius-group
aaa authorization network default group dnac-client-radius-group
aaa authorization exec default local
aaa authorization exec VTY_author group dnac-network-radius-group local if-authenticated
aaa authentication login default local
aaa authentication dot1x default group dnac-client-radius-group
aaa authentication login VTY_authen group dnac-network-radius-group local
dot1x system-auth-control
radius server dnac-radius_10.168.124.5
address ipv4 10.168.124.5 auth-port 1812 acct-port 1813
pac key XXX
retransmit 1
timeout 2
exit
radius-server vsa send authentication
radius-server vsa send accounting
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 25 access-request include
radius-server attribute 8 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
cts authorization list dnac-cts-list
line vty 0 15
login authentication VTY_authen
authorization exec VTY_author
transport input all
aaa server radius dynamic-author
client 10.168.124.5 server-key XXX
client 10.195.181.35 server-key XXX
exit
ip domain-lookup
ip name-server 10.168.124.2
ip domain name tmelab.local
service password-encryption
banner motd #Welcome to SDA TME Lab#
!exec: enable
Can you please post the output of "sh cts pacs", "sh run aaa" from Fabric Edge switch?
When you add devices to the fabric, and host onboarding, we push more config like cts role-based enforcement, cts role-based enforcement vlan-list 1021
05-10-2019 11:53 AM
Hello Tom,
Can you clarify what you meant by trustsec configs? Is it the CTS environment data or SGACL? If its related to CTS Environment data, then may be you hitting this bug.. https://cdetsng.cisco.com/webui/#view=CSCvp02082..
I am not aware of a fix for this and i know its WIP AFAIK..
Regards
Mahesh N
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide