You are here
SEC0218 - ISE 2.0 TrustSec - SGACL (Part 3)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video walks you through configuration of SGACL on Cisco ISE 2.0. Using the SGT created in the previous video, we will map them into SGACL matrix and apply appropriate access policy. We will configure a switch to download SGACL from ISE and have it act as our enforcement point (Network as a Enforcer).
Part 3 of this video covers testing of SGACL access policy enforcement
Topic:
- Security Group ACL (SGACL)
- SGACL Matrix
- SGACL Component
- SGACL Egress Policy
- SGACL Source Tree
6 comments
Cts role
Hi Metha, i used your videos for lab test.
I'm using the 3750-X and ISE2.1. I create the SGT and SGTACL deploy via CTS, the switch received the CTS policy. I do see the policy on switch via show cts role-based, but the polices does not work. When i trying test in VM authenticated via 802.1x, all policies it´s allowed.
SW-AVC#sh cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-01:SGT_CTS_DEVICE
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.10.105.15, port 1812, A-ID 9808B51CC798F4A2B700D6B275343F37
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
0-00:Unknown
2-00:SGT_CTS_DEVICE
100-00:SGT_DC
101-00:SGT_WEB_SRV
102-00:SGT_ACC_SRV
5000-00:SGT_USER_AUTH_ADMIN
5001-00:SGT_USER_AUTH_Users
Environment Data Lifetime = 86400 secs
Last update time = 22:03:39 BRZ-DST Sun Jan 1 2006
Env-data expires in 0:23:59:55 (dd:hr:mm:sec)
Env-data refreshes in 0:23:59:55 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 5001:SGT_USER_AUTH_Users to group 2:SGT_CTS_DEVICE:
Deny IP-00
IPv4 Role-based permissions from group 2:SGT_CTS_DEVICE to group 100:SGT_DC:
PERMIT_ICMP-10
Deny IP-00
IPv4 Role-based permissions from group 5001:SGT_USER_AUTH_Users to group 100:SGT_DC:
DENY_MGMT-10
Permit IP-00
IPv4 Role-based permissions from group 2:SGT_CTS_DEVICE to group 101:SGT_WEB_SRV:
PERMIT_ICMP-10
Deny IP-00
IPv4 Role-based permissions from group 5000:SGT_USER_AUTH_ADMIN to group 101:SGT_WEB_SRV:
PERMIT_MGMT-10
PERMIT_WEB-10
PERMIT_ICMP-10
IPv4 Role-based permissions from group 5001:SGT_USER_AUTH_Users to group 101:SGT_WEB_SRV:
PERMIT_WEB-10
Deny IP-00
IPv4 Role-based permissions from group 2:SGT_CTS_DEVICE to group 102:SGT_ACC_SRV:
PERMIT_ICMP-10
Deny IP-00
IPv4 Role-based permissions from group 5000:SGT_USER_AUTH_ADMIN to group 102:SGT_ACC_SRV:
PERMIT_MGMT-10
Deny IP-00
IPv4 Role-based permissions from group 5001:SGT_USER_AUTH_Users to group 102:SGT_ACC_SRV:
Deny IP-00
IPv4 Role-based permissions from group 2:SGT_CTS_DEVICE to group 5001:SGT_USER_AUTH_Users:
Deny IP-00
IPv4 Role-based permissions from group 102:SGT_ACC_SRV to group 5001:SGT_USER_AUTH_Users:
Deny IP-00
If i try ping the 5001:SGT_USER_AUTH_Users for 5001:SGT_USER_AUTH_Users (My Switch), its work, but in policy is denied.
cts role
Metha, i found it the problem.. i forgot the put the command: cts role-based enforcement
But now, i can not "Ping" the switch in SGT_CTS_DEVICE SGT2 and it´s right. But when i try denied for server (cts sgt-map), does not work.. all flow get in Default rule. Show my sgt-map:
cts role-based sgt-map 10.10.105.1 sgt 100
cts role-based sgt-map 10.10.105.2 sgt 101
cts role-based sgt-map 10.10.105.15 sgt 102
cts role-based enforcement vlan-list 1105
#Policy
IPv4 Role-based permissions from group 102:SGT_ACC_SRV to group 5001:SGT_USER_AUTH_Users:
Deny IP-00
IPv4 Role-based permissions from group 5001:SGT_USER_AUTH_Users to group 102:SGT_ACC_SRV:
Deny IP-00
EX: When i try ping 10.10.105.15 for my machine in SGT 5001, its allow. Can you help-me ?
cts role
For device Local its work, but for map SGT does not work.
SW-AVC#sh cts role-based sgt-map al
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.10.105.1 100 CLI
10.10.105.2 101 CLI
10.10.105.20 102 CLI
10.10.105.100 5001 LOCAL
10.10.105.251 2 INTERNAL
10.10.105.252 2 INTERNAL
192.168.2.236 2 INTERNAL
192.168.13.1 2 INTERNAL
192.168.14.1 2 INTERNAL
When i try ping for 10.10.105.251 its work the SGAACL, but when i try ping the 10.10.105.20, its succeeded. Follow my polices:
SW-AVC#sh cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 5001:SGT_WIRED_EMPLOYEE to group 2:SGT_CTS_DEVICE:
Deny IP-00
IPv4 Role-based permissions from group 5001:SGT_WIRED_EMPLOYEE to group 101:SGT_WEB_SRV:
Deny IP-00
IPv4 Role-based permissions from group 5001:SGT_WIRED_EMPLOYEE to group 102:SGT_ACCT_SRV:
Deny IP-00
IPv4 Role-based permissions from group 2:SGT_CTS_DEVICE to group 5001:SGT_WIRED_EMPLOYEE:
Deny IP-00
IPv4 Role-based permissions from group 101:SGT_WEB_SRV to group 5001:SGT_WIRED_EMPLOYEE:
Deny IP-00
IPv4 Role-based permissions from group 102:SGT_ACCT_SRV to group 5001:SGT_WIRED_EMPLOYEE:
Deny IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
SW-AVC#sh run | i cts
cts authorization list ise
cts role-based sgt-map 10.10.105.1 sgt 100
cts role-based sgt-map 10.10.105.2 sgt 101
cts role-based sgt-map 10.10.105.20 sgt 102
cts role-based enforcement
cts role-based enforcement vlan-list 1-4094
ping 10.10.105.251 -> Destination net unrechable => OK
ping 10.10.105.20 -> Reply from => Failed
cts role
Are source and destination on the same switch? What switch are you using and what software version?
cts role
Yes source and destination on the same Switch. Switch 3750-X T-S Version: 15.2.4E3
cts role
As far as we can tell, the output looks good. May be it's switch related. We have never tried this on 3750X although compatibility guide says it'ssupported. Do you have 3650 or 3850 to test with?