Switch End User Interfaces CTS config with Dot1x Authentication

ifabrizio · ‎02-27-2024

I'm testing trustsec in a test environment.

I connected a test PC, on a port of a 4500 Sup8 switch.

Initially I excluded Dot1x(TEAP) type authentication and configured a static mapping on the port using the cts manual policy static sgt command.

While another test PC is connected to a 9300 switch, where I configured the PC port again with the CTS manual by assigning another tag. The two switches are connected to each other with a link where CTS is enabled.

Everything works correctly. By changing the policy on the trustsec matrix, enforcement is performed on the Cisco ISE. If on the 4500 switch I change the access port configuration, removing the cts manual instruction, and configuring the authorization policy on the Cisco ISE, assigning the trustsec group, the enforcement do not work anymore.

Someone cold help me?

Bye,

JF.

Torbjørn · ‎02-28-2024

Can you see that the tag value is assigned as intended by ISE? You can verify this with the following command:

show cts interface ethernet {port}

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

ifabrizio · ‎02-29-2024

Hi Torbj0rn,

Thank you for your reply.

I found the problem,

The problem was caused by the switch interface configuration.

initially I configured the cts as manual, assigning the tag via static policy. When I configured the interface to activate dot1x type authentication, I first had to deactivate the cts manual, but when I exited the interface configuration mode, I did not use the exit command, but ctrl+Z.

By configuring the interface again with the CTS manual and then disabling it, and then doing shut no shut and then exit, after reconfiguring the dot1x everything works!

Torbjørn · ‎02-29-2024

No problem @ifabrizio! Glad you found the cause of the issue.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev