02-27-2024 04:55 AM
I'm testing trustsec in a test environment.
I connected a test PC, on a port of a 4500 Sup8 switch.
Initially I excluded Dot1x(TEAP) type authentication and configured a static mapping on the port using the cts manual policy static sgt command.
While another test PC is connected to a 9300 switch, where I configured the PC port again with the CTS manual by assigning another tag. The two switches are connected to each other with a link where CTS is enabled.
Everything works correctly. By changing the policy on the trustsec matrix, enforcement is performed on the Cisco ISE. If on the 4500 switch I change the access port configuration, removing the cts manual instruction, and configuring the authorization policy on the Cisco ISE, assigning the trustsec group, the enforcement do not work anymore.
Someone cold help me?
Bye,
JF.
02-28-2024 01:17 AM
Can you see that the tag value is assigned as intended by ISE? You can verify this with the following command:
show cts interface ethernet {port}
02-29-2024 12:51 AM
Hi Torbj0rn,
Thank you for your reply.
I found the problem,
The problem was caused by the switch interface configuration.
initially I configured the cts as manual, assigning the tag via static policy. When I configured the interface to activate dot1x type authentication, I first had to deactivate the cts manual, but when I exited the interface configuration mode, I did not use the exit command, but ctrl+Z.
By configuring the interface again with the CTS manual and then disabling it, and then doing shut no shut and then exit, after reconfiguring the dot1x everything works!
02-29-2024 01:36 AM
No problem @ifabrizio! Glad you found the cause of the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide