Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
783
Views
0
Helpful
3
Replies

TrustSec Local Authentication on Cat3K

mhiyoshi
Level 3
Level 3

‎02-05-2019 10:51 PM - edited ‎03-08-2019 05:15 PM

Dear all, 

 

I would just like to confirm the following mismatched specification on Cat3K different version.

So normally in my understanding when locally DOT1X authentication success then the switches learn & create IP-SGT mapping table below but according to IOS-XE-Ver.16.X suddenly it can not learn with IOS-XE.Ver.3.X same configuration.

 

*IOS-XE-Ver.03.07.05.E

Cat3650#sh cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address SGT Source
============================================
1.1.1.1 12 SXP
10.0.40.1 201 LOCAL

 

*IOS-XE-Ver.16.03.06

Cat3650#sh cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address SGT Source
============================================
1.1.1.1 12 SXP

 

So I appreciate if there is any additional configuration or specification from 16.X.

 

Best Regard,

 

Masanobu Hiyoshi

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎02-06-2019 02:14 AM

Hello,

 

how did you configure CTS in 3.x ?

0 Helpful

Georg Pauwen
VIP
VIP

‎02-06-2019 02:21 AM

Hello,

 

not sure if this applies to you, but check the bug below:

 

CTS Untrusted Port with SGT not updated by SISF for IP-SGT
CSCuw77872
Description
Symptom:
IP-SGT mappings are not made for IP hosts learnt on interfaces that are not configured as trusted under cts-manual sub-mode.

Conditions:
When an interface is configured with 'cts manual' without an explicit 'trusted' keyword as in "policy static sgt trusted"

Workaround:
Configure the interface as trusted using 'policy static sgt trusted" configuration under cts manual sub-mode

0 Helpful

mhiyoshi
Level 3
Level 3
In response to Georg Pauwen

‎02-06-2019 06:35 PM - edited ‎02-06-2019 06:35 PM

Hi Georg,

 

Thank you very much!

I think the bug is very similar to my verification however the following output occur that Dot1x auth can not co-exist with cts manual configuration below.

 

Cat3650#sh run int Gi1/0/1
*omit
!
interface GigabitEthernet1/0/1
description ###### HOST #####
switchport access vlan 40
switchport mode access
authentication port-control auto
dot1x pae authenticator
end

Cat3650#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3650(config)#int Gi1/0/1
Cat3650(config-if)#cts manual
Command rejected (Gi1/0/1): conflict with Dot1x Auth

 

Best Regards,

 

Masanobu Hiyoshi

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card