View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0216 - ISE 2.0 TrustSec - Network Device Authentication (Part 2)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
This is the first video of a TrustSec mini series on Cisco ISE 2.0. We will look at the first building block of creating a TrustSec domain which is Network Device Admission Control (NDAC). This will also be our first look at the new TrustSec WorkCenter. We will be configuring a seed device and a non-seed device in this lab, and test SGT propagation.
 
Part 2 of this video covers configuration of a seed switch
 
Topic:
  • TrustSec Dashboard
  • TrustSec WorkCenter
  • Network Device Admission Control (NDAC)
  • Seed and Non-Seed Device
  • SGA Server List
  • TrustSec Environment Data
  • Switch-to-Switch Authorization
  • Flexible Netflow

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

14 comments

I am doing same exactly shown in video but still i am getting 5417 Dynamic Authorization failed

I am passed with PAC provisioned but after that i am getting 5417 Dynamic Authorization failed.

What configuration that i am missing please reply.

Logs
2018-07-31 09:15:45.389
Received Timestamp 2018-07-31 09:15:45.39
Policy Server ise-demo
Event 5417 Dynamic Authorization failed
Failure Reason 11213 No response received from Network Access Device after sending a Dynamic Authorization request
Resolution Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
Root cause No response received from Network Access Device after sending a Dynamic Authorization request
Network Device LM-SW
Device Type All Device Types
Location All Locations
NAS IPv4 Address 192.168.10.1
Response Time 10005 milliseconds

Can i expect the above ans ?

You probably want to check your switch is configured with dynamic authorization allowing ISE PSN IP with matching key.

Thanks for Reply .

There was some miss configuration in switch side.

I have only one Switch in trustsec environment . so i am confuse where should be or which interface that i can use cts dotx , and sap mode list , and propagate sgt command to use in switch interface .

Please reply fast its a very urgent need.

If you only have one switch then you perform both classification and enforcement on that same switch. There is no need for any command that requires to connect between two switches like we do, like the sap or propagate as those are for inline tagging packet between switches.

I am still waiting for your response . please reply i am stuck.

Why dont you replying ?

I've got a Two-Tier simplified distribution layer design with VSL at core and DC, and port-channels. I've got 3850's all through out running Denila IOS 16.3.x. I've got a pilot lab and found I don't have the option for "cts dotx" on my interface links between DC(seed-sw)>Core /Core>Access.
How critical is it to configure NDAC in the trustsec architecture?
Do I just use "cts manual" on switch>switch interfaces to propagate SGTs?

NDAC is just anohter layer of security preventing unauthorized device from joining your TrustSec domain. If you are ok without, you can just make the port to manual trust and it will work just fine.

Thanks for the feedback but what's not clear where to configure trustsec in the Campus, most docs show 1 switch in examples. Since I'm unable to do NDAC, where seed switch authenticates with ISE to build trust domain with non seed...do I generate pac keys for all my devices (DC/Core/Access) and cts manual on links between the switches to do inline tagging and enforcement?

If you go with the manual trust, there is no need to do NDAC to build trust domain. You just configure cts manual with propagation on ports between trustsec device.

Hello and thank you very much for your videos. The only thing I did not understand is the PAC key command under the radius server configuration. My concerns is about don`t PAC key is automatically provisioned during phase0 of FAST from server? what is purpose of this command. And previously for authentication to work we just need key command under radius configuration but this time you did not use it why? Does PAC KEY command replace it. I did not really understand the PAC KEY command. If it is for server and NAD authentication, didn`t we used cts credentials command?

The pac key command under RADIUS config is for device to authenticate with ISE and download the actual PAC key so they can further exchange CTS info. It has nothing to do with the regular key command that is used for device-server communication for client authentication.