Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2809
Views
0
Helpful
3
Replies

SDA trustsec config is not pushed by DNA

tom.barat@dimensiondata.com
Level 1
Level 1

‎04-25-2019 05:25 AM

Hello,

 

I am deploying software-defined access for a customer and i have trouble with the trustsec configuration.

The issue is that the DNA center did not push cts configuration to fabric switches. As a result there are a ton of "CTSREQUEST failed" radius logs in ISE, and we won't be able to push segmentation policies.

 

Maybe someone can clarify whether the cts configuration is supposed to be pushed by the DNA center or if we are supposed to do it manually ?

If the DNA center is supposed to do it, at which stage does it do so (discovery, provisioning, add to fabric )?

 

Thank you in advance,

Best regards.

Labels:
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-25-2019 05:44 AM

I have CTS deployed inside of my SDA fabric. DNAC should deploy most of your CTS configuration to your underlay devices. For example, based on how you setup dnac it should deploy things such as AAA statements, radius servers, CTS enforcement, etc. You have the option to configure your group based access control in DNAC and/or ISE. I personally like doing most of the CTS stuff in ISE. If you attempt to add SGTs in DNAC it will just open up your ISE tab.

As for your issue, CTSREQUEST failed, I have seen this before. Can you please ensure that you properly have your pxgrid connection setup between ISE & DNAC. Also, ensure that your underlay devices can reach ISE. Did you manually add your devices in ISE? DNAC should automatically populate the devices and populate your trustsec setup. Can you share the ISE log? You could have a dynamic author issue too.
0 Helpful

Karthik Kumar Thatikonda
Cisco Employee
Cisco Employee

‎04-25-2019 09:42 AM

There are two steps:

1. When you assign devices to Site in DNAC, the network devices are populated into ISE

2. When you provision devices in DNAC, switches will receive all the respective AAA / radius config

 

Example config for step2:

!exec: enable
ip tacacs source-interface Loopback0
ip radius source-interface Loopback0
aaa new-model
ip http server
ip http authentication local
ip http max-connections 16
ip http secure-server
ip access-list extended ACL_WEBAUTH_REDIRECT
 30 permit tcp any any eq www
 40 permit tcp any any eq 443
 50 permit tcp any any eq 8443
 20 deny ip any host 10.168.124.5
 60 deny udp any any eq domain
 70 deny udp any eq bootpc  any eq bootps
exit
aaa session-id common
aaa group server radius dnac-client-radius-group
 server name dnac-radius_10.168.124.5
 ip radius source-interface Loopback 0
exit
aaa group server radius dnac-network-radius-group
 server name dnac-radius_10.168.124.5
 ip radius source-interface Loopback 0
exit
aaa accounting identity default start-stop group dnac-client-radius-group
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group dnac-network-radius-group
aaa authorization network dnac-cts-list group dnac-client-radius-group
aaa authorization network default group dnac-client-radius-group
aaa authorization exec default local
aaa authorization exec VTY_author group dnac-network-radius-group local if-authenticated
aaa authentication login default local
aaa authentication dot1x default group dnac-client-radius-group
aaa authentication login VTY_authen group dnac-network-radius-group local
dot1x system-auth-control
radius server dnac-radius_10.168.124.5
 address ipv4 10.168.124.5 auth-port 1812 acct-port 1813
 pac key XXX
 retransmit 1
 timeout 2
exit
radius-server vsa send authentication
radius-server vsa send accounting
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 25 access-request include
radius-server attribute 8 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
cts authorization list dnac-cts-list
line vty 0 15
 login authentication VTY_authen
 authorization exec VTY_author
 transport input all
aaa server radius dynamic-author
 client 10.168.124.5 server-key XXX
 client 10.195.181.35 server-key XXX
exit
ip domain-lookup
ip name-server 10.168.124.2
ip domain name tmelab.local
service password-encryption
banner motd #Welcome to SDA TME Lab#
!exec: enable

 

Can you please post the output of "sh cts pacs", "sh run aaa" from Fabric Edge switch?

 

When you add devices to the fabric, and host onboarding, we push more config like cts role-based enforcement, cts role-based enforcement vlan-list 1021

0 Helpful

mnagired
Cisco Employee
Cisco Employee

‎05-10-2019 11:53 AM

Hello Tom,

 

Can you clarify what you meant by trustsec configs? Is it the CTS environment data or SGACL? If its related to CTS Environment data, then may be you hitting this bug..  https://cdetsng.cisco.com/webui/#view=CSCvp02082..

I am not aware of a fix for this and i know its WIP AFAIK.. 

 

Regards

Mahesh N

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents