此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文档介绍在思科身份服务引擎(ISE) 2.2中使用多个TrustSec矩阵和DefCon矩阵。这是在ISE 2.2中引入的新TrustSec功能,用于提高网络粒度。
Cisco 建议您了解以下主题:
本文档中的信息基于以下软件和硬件版本:
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
在ISE 2.0中,可以对所有网络设备仅使用一个生产TrustSec矩阵。ISE 2.1添加了称为暂存表的功能,可用于测试和实施。在试运行矩阵中创建的策略仅应用于用于测试的网络设备。其余设备仍使用生产矩阵。一旦确认试运行矩阵正常工作,所有其它设备都可以移动到它并成为新的生产矩阵。
ISE 2.2具有两项新的TrustSec功能:
可以在ISE 2.2中使用单一矩阵功能或生产和暂存矩阵功能。
要使用多个矩阵,必须在工作中心> TrustSec >设置>工作进程设置下启用此选项,如图所示:
一旦启用此功能,您就可以创建新的矩阵,以后还可以将网络设备分配到特定矩阵。
DefCon矩阵是特殊矩阵,随时可以部署。部署后,所有网络设备都会自动分配到此矩阵。ISE仍会记住所有网络设备的最后一个生产矩阵,因此此更改可以在停用DefCon的任何时候恢复。您最多可以定义四个不同的DefCon矩阵:
DefCon矩阵可与所有三个工作流程选项结合使用:
要使用多个矩阵,必须在“工作进程设置”下启用它。在本示例中,请同时启用DefCon矩阵。
radius server ISE address ipv4 10.48.17.161 auth-port 1812 acct-port 1813 pac key cisco aaa group server radius ISE server name ISE ip radius source-interface FastEthernet0 ip radius source-interface FastEthernet0 aaa server radius dynamic-author client 10.48.17.161 server-key cisco
aaa new-model aaa authentication dot1x default group ISE aaa accounting dot1x default start-stop group ISE
要获取CTS信息,必须创建CTS授权列表:
cts authorization list LIST aaa authorization network LIST group ISE
要从ISE接收CTS PAC(受保护访问凭证),您必须在交换机和ISE上为网络设备配置高级TrustSec配置下的相同凭证:
cts credentials id GALA password cisco
配置此配置后,交换机即可下载CTS PAC。在向ISE发送的每个RADIUS请求中,将其中一部分(PAC-Opaque)作为AV对发送,因此ISE可以验证此网络设备的PAC是否仍然有效:
GALA#show cts pacs AID: E6796CD7BBF2FA4111AD9FB4FEFB5A50 PAC-Info: PAC-type = Cisco Trustsec AID: E6796CD7BBF2FA4111AD9FB4FEFB5A50 I-ID: GALA A-ID-Info: Identity Services Engine Credential Lifetime: 17:05:50 CEST Apr 5 2017 PAC-Opaque: 000200B00003000100040010E6796CD7BBF2FA4111AD9FB4FEFB5A50000600940003010012FABE10F3DCBCB152C54FA5BFE124CB00000013586BB31500093A809E11A93189C7BE6EBDFB8FDD15B9B7252EB741ADCA3B2ACC5FD923AEB7BDFE48A3A771338926A1F48141AF091469EE4AFC8C3E92A510BA214A407A33F469282A780E8F50F17A271E92D1FEE1A29ED427B985F9A0E00D6CDC934087716F4DEAF84AC11AA05F7587E898CA908463BDA9EC7E65D827 Refresh timer is set for 11y13w
下载PAC后,交换机可以请求其他CTS信息(环境数据和策略):
GALA#cts refresh environment-data GALA#show cts environment-data CTS Environment Data ==================== Current state = COMPLETE Last status = Successful Local Device SGT: SGT tag = 0-06:Unknown Server List Info: Installed list: CTSServerList1-0001, 1 server(s): *Server: 10.48.17.161, port 1812, A-ID E6796CD7BBF2FA4111AD9FB4FEFB5A50 Status = ALIVE auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs Multicast Group SGT Table: Security Group Name Table: 0-ce:Unknown 2-ce:TrustSec_Devices 3-ce:Network_Services 4-ce:Employees 5-ce:Contractors 6-ce:Guests 7-ce:Production_Users 8-ce:Developers 9-ce:Auditors 10-ce:Point_of_Sale_Systems 11-ce:Production_Servers 12-ce:Development_Servers 13-ce:Test_Servers 14-ce:PCI_Servers 15-ce:BYOD 255-ce:Quarantined_Systems Environment Data Lifetime = 86400 secs Last update time = 07:48:41 CET Mon Jan 2 2006 Env-data expires in 0:23:56:02 (dd:hr:mm:sec) Env-data refreshes in 0:23:56:02 (dd:hr:mm:sec) Cache data applied = NONE State Machine is running
GALA#cts refresh policy GALA#show cts role-based permissions RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
您可能会看到没有从ISE下载任何策略,原因是交换机上未启用CTS实施:
cts role-based enforcement cts role-based enforcement vlan-list 1-4094 GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
在两个输出中,您都可以看到默认值-默认情况下创建的SGT(0、2-15、255)和默认的允许IP策略。
在ISE上创建新的安全组标记(SGT)和少量策略,以便稍后使用。导航到工作中心> TrustSec >组件>安全组,点击添加创建新的SGT:
要创建安全组访问控制列表(SGACL)以进行流量过滤,请选择Security Group ACLs,如图所示:
同样,您可以创建其他SGT和SGACL。创建SGT和SGACL后,您可以在CTS策略中将其关联在一起,为此,请导航到工作中心> TrustSec > TustSec策略>出口策略>源树,如图所示:
在本示例中,您已为矩阵ForGALA配置策略。要在矩阵之间切换,您可以使用下拉菜单。要启用多个矩阵,请导航到工作中心> TrustSec >设置>工作进程设置,然后启用多个矩阵和DefCon矩阵,如图所示:
启用此选项后,默认的“生产矩阵”可用,但您可以创建其他矩阵。导航到工作中心(Work Centers) > TrustSec > TrustSec策略(TrustSec Policy) >出口策略(Egress Policy) >矩阵列表(Matrices List),然后点击添加:
可以选择复制已存在的矩阵中应成为新策略一部分的策略。创建两个矩阵-一个用于3750X交换机,另一个用于3850交换机。矩阵创建后,您必须将网络设备分配到这些矩阵,因为默认情况下,所有启用TrustSec的网络接入设备都会分配到生产矩阵。
要分配NAD,请点击Matrices List下的Assign NADs选项,选中要分配矩阵的设备,并从下拉菜单中选择创建的矩阵,然后点击Assign,如图所示:
您可以对其它设备执行相同的操作,然后点击Assign按钮:
执行所有更改后,单击Close&Send,这会将所有更新发送给设备,以执行CTS策略的刷新,从而下载新策略。同样,创建DefCon矩阵,您可以从现有矩阵复制该矩阵:
最终策略如下所示:
有两个选项可用于将标签分配到客户端(创建IP-SGT映射):
此处使用这两个选项,两台Windows计算机通过dot1x身份验证获取SGT标记,环回接口使用静态SGT标记。要部署动态映射,请为终端客户端创建授权策略:
要创建静态IP-SGT映射,请使用命令(例如GALA交换机):
interface Loopback7 ip address 7.7.7.7 255.255.255.0 interface Loopback2 ip address 2.2.2.2 255.255.255.0 cts role-based sgt-map 2.2.2.2 sgt 15 cts role-based sgt-map 7.7.7.7 sgt 10
在身份验证成功后,客户端使用特定SGT标记访问授权策略,结果为:
GALA#show authentication sessions interface Gi1/0/11 details Interface: GigabitEthernet1/0/11 MAC Address: 0050.5699.5bd9 IPv6 Address: Unknown IPv4 Address: 10.0.10.2 User-Name: 00-50-56-99-5B-D9 Status: Authorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Restart timeout: N/A Common Session ID: 0A30489C000000120002330D Acct Session ID: 0x00000008 Handle: 0xCE000001 Current Policy: POLICY_Gi1/0/11 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Security Status: Link Unsecure Server Policies: SGT Value: 16 Method status list: Method State mab Authc Success
您可以使用命令show cts role-based sgt-map all检查所有IP-SGT映射,从中可以查看每个映射的源(本地-通过dot1x身份验证、CLI -静态分配):
GALA#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 2.2.2.2 15 CLI 7.7.7.7 10 CLI 10.0.10.2 16 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 3
一旦交换机具有CTS PAC并下载了环境数据,它就可以请求CTS策略。交换机不下载所有策略,但仅下载所需的策略(发往已知SGT标记的流量的策略),如果GALA交换机,它从ISE请求这些策略:
GALA交换机所有策略的输出:
GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD: denyIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10: denyIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
交换机通过两种方式获取策略:
GALA#cts refresh policy
对于此示例,两台交换机上的最终SGT-IP映射和CTS策略:
GALA交换机:
GALA#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 2.2.2.2 15 CLI 7.7.7.7 10 CLI 10.0.10.2 16 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 3
GALA#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD:
denyIP-20
IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD:
permitIP-20
IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10:
permitIP-20
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
GALA#show cts rbacl | s permitIP
name = permitIP-20
permit ip
GALA#show cts rbacl | s deny
name = denyIP-20
deny ip
DRARORA开关:
DRARORA#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 10.0.20.3 17 LOCAL 10.10.10.10 10 CLI 15.15.15.15 15 CLI IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 3
DRARORA#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 17:VLAN20 to group 10:Point_of_Sale_Systems:
permitIP-20
IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD:
permitIP-20
IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD:
permitIP-20
IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 17:VLAN20:
denyIP-20
IPv4 Role-based permissions from group 16:VLAN10 to group 17:VLAN20:
permitIP-20
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
请注意,两台交换机的策略不同(即使从10到15的策略相同,GALA和DRARORA交换机的策略也不同)。这意味着DRARORA上允许从SGT 10到15的流量,但在GALA上阻止该流量:
DRARORA#ping 15.15.15.15 source Loopback 10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 15.15.15.15, timeout is 2 seconds: Packet sent with a source address of 10.10.10.10 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms GALA#ping 2.2.2.2 source Loopback 7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 7.7.7.7 U.U.U Success rate is 0 percent (0/5)
同样,从一个窗口可以访问另一个窗口(SGT 17 -> SGT 16):
另一种方法(SGT 16 -> SGT 17):
要确认应用了正确的CTS策略,请检查show cts role-based计数器的输出:
GALA#sh cts role-based counters Role-based IPv4 counters # '-' in hardware counters field indicates sharing among cells with identical policies From To SW-Denied HW-Denied SW-Permitted HW-Permitted 17 16 0 0 0 8 17 15 0 - 0 - 10 15 4 0 0 0 * * 0 0 127 26
GALA允许8个数据包(4个来自ping 17->16,4个来自ping 16->17)。
如果需要,请在工作中心(Work Centers) > TrustSec > TrustSec策略(TrustSec Policy) >出口策略(Egress Policy) >矩阵列表(Matrices List)下部署DefCon矩阵,然后选中您要激活的DefCon矩阵,然后点击激活(Activate):
激活DefCon后,ISE上的菜单如下所示:
和交换机上的策略:
GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 15:BYOD to group 10:Point_of_Sale_Systems: denyIP-20 IPv4 Role-based permissions from group 15:BYOD to group 16:VLAN10: denyIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10: denyIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE DRARORA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 15:BYOD to group 10:Point_of_Sale_Systems: denyIP-20 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 17:VLAN20: permitIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
两台交换机上不允许从SGT 15到SGT 10的流量:
DRARORA#ping 10.10.10.10 source Loopback 15 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: Packet sent with a source address of 15.15.15.15 U.U.U Success rate is 0 percent (0/5) GALA#ping 7.7.7.7 source Loopback 2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 U.U.U Success rate is 0 percent (0/5)
部署再次稳定后,您可以停用DefCon并交换机会请求旧策略。要停用DefCon,请导航到工作中心(Work Centers) > TrustSec > TrustSec策略(TrustSec Policy) >出口策略(Egress Policy) >矩阵列表(Matrices List),选中活动的DefCon矩阵(Active DefCon matrix),然后点击停用(Deactivate):
两台交换机都立即请求旧策略:
DRARORA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 17:VLAN20 to group 10:Point_of_Sale_Systems: permitIP-20 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD: permitIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD: permitIP-20 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 17:VLAN20: denyIP-20 IPv4 Role-based permissions from group 16:VLAN10 to group 17:VLAN20: permitIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD: denyIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD: permitIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10: permitIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
这是成功的PAC调配的一部分:
GALA#debug cts provisioning packets GALA#debug cts provisioning events *Jan 2 04:39:05.707: %SYS-5-CONFIG_I: Configured from console by console *Jan 2 04:39:05.707: CTS-provisioning: Starting new control block for server 10.48.17.161: *Jan 2 04:39:05.707: CTS-provisioning: cts_provi_init_socket: Checking for any vrf associated with 10.48.17.161 *Jan 2 04:39:05.707: CTS-provisioning: New session socket: src=10.48.72.156:65242 dst=10.48.17.161:1812 *Jan 2 04:39:05.716: CTS-provisioning: cts_provi_init_socket: Checking for any vrf associated with 10.48.17.161 *Jan 2 04:39:05.716: CTS-provisioning: cts_provi_init_socket: Adding vrf-tableid: 0 to socket *Jan 2 04:39:05.716: CTS-provisioning: New session socket: src=10.48.72.156:65242 dst=10.48.17.161:1812 *Jan 2 04:39:05.716: CTS-provisioning: Sending EAP Response/Identity to 10.48.17.161 *Jan 2 04:39:05.716: CTS-provisioning: OUTGOING RADIUS msg to 10.48.17.161: 1E010EE0: 01010090 64BCBC01 7BEF347B 1E010EF0: 1E32C02E 8402A83D 010C4354 5320636C 1E010F00: 69656E74 04060A30 489C3D06 00000000 1E010F10: 06060000 00021F0E 30303037 37643862 1E010F20: 64663830 1A2D0000 00090127 4141413A 1E010F30: 73657276 6963652D 74797065 3D637473 1E010F40: 2D706163 2D70726F 76697369 6F6E696E 1E010F50: 674F1102 00000F01 43545320 636C6965 1E010F60: 6E745012 73EBE7F5 CDA0CF73 BFE4AFB6 1E010F70: 40D723B6 00 *Jan 2 04:39:06.035: CTS-provisioning: INCOMING RADIUS msg from 10.48.17.161: 1EC68460: 0B0100B5 E4C3C3C1 ED472766 1EC68470: 183F41A9 026453ED 18733634 43504D53 1EC68480: 65737369 6F6E4944 3D306133 30313161 1EC68490: 314C3767 78484956 62414976 37316D59 1EC684A0: 525F4D56 34517741 4C362F69 73517A72 1EC684B0: 7A586132 51566852 79635638 3B343353 1EC684C0: 65737369 6F6E4944 3D766368 72656E65 1EC684D0: 6B2D6973 6532322D 3432332F 32373238 1EC684E0: 32373637 362F3137 37343B4F 1C017400 1EC684F0: 1A2B2100 040010E6 796CD7BB F2FA4111 1EC68500: AD9FB4FE FB5A5050 124B76A2 E7D34684 1EC68510: DD8A1583 175C2627 9F00 *Jan 2 04:39:06.035: CTS-provisioning: Received RADIUS challenge from 10.48.17.161. *Jan 2 04:39:06.035: CTS-provisioning: A-ID for server 10.48.17.161 is "e6796cd7bbf2fa4111ad9fb4fefb5a50" *Jan 2 04:39:06.043: CTS-provisioning: Received TX_PKT from EAP method *Jan 2 04:39:06.043: CTS-provisioning: Sending EAPFAST response to 10.48.17.161 *Jan 2 04:39:06.043: CTS-provisioning: OUTGOING RADIUS msg to 10.48.17.161: <...> *Jan 2 04:39:09.549: CTS-provisioning: INCOMING RADIUS msg from 10.48.17.161: 1EC66C50: 0309002C 1A370BBB 58B828C3 1EC66C60: 3F0D490A 4469E8BB 4F06047B 00045012 1EC66C70: 7ECF8177 E3F4B9CB 8B0280BD 78A14CAA 1EC66C80: 4D *Jan 2 04:39:09.549: CTS-provisioning: Received RADIUS reject from 10.48.17.161. *Jan 2 04:39:09.549: CTS-provisioning: Successfully obtained PAC for A-ID e6796cd7bbf2fa4111ad9fb4fefb5a50
由于PAC配置已成功完成,因此应进行RADIUS拒绝。
以下显示了从交换机成功下载的环境数据:
GALA#debug cts environment-data GALA# *Jan 2 04:33:24.702: CTS env-data: Force environment-data refresh *Jan 2 04:33:24.702: CTS env-data: download transport-type = CTS_TRANSPORT_IP_UDP *Jan 2 04:33:24.702: cts_env_data START: during state env_data_complete, got event 0(env_data_request) *Jan 2 04:33:24.702: cts_aaa_attr_add: AAA req(0x5F417F8) *Jan 2 04:33:24.702: username = #CTSREQUEST# *Jan 2 04:33:24.702: cts_aaa_context_add_attr: (CTS env-data SM)attr(GALA) *Jan 2 04:33:24.702: cts-environment-data = GALA *Jan 2 04:33:24.702: cts_aaa_attr_add: AAA req(0x5F417F8) *Jan 2 04:33:24.702: cts_aaa_context_add_attr: (CTS env-data SM)attr(env-data-fragment) *Jan 2 04:33:24.702: cts-device-capability = env-data-fragment *Jan 2 04:33:24.702: cts_aaa_req_send: AAA req(0x5F417F8) successfully sent to AAA. *Jan 2 04:33:25.474: cts_aaa_callback: (CTS env-data SM)AAA req(0x5F417F8) response success *Jan 2 04:33:25.474: cts_aaa_context_fragment_cleanup: (CTS env-data SM)attr(GALA) *Jan 2 04:33:25.474: cts_aaa_context_fragment_cleanup: (CTS env-data SM)attr(env-data-fragment) *Jan 2 04:33:25.474: AAA attr: Unknown type (450). *Jan 2 04:33:25.474: AAA attr: Unknown type (274). *Jan 2 04:33:25.474: AAA attr: server-list = CTSServerList1-0001. *Jan 2 04:33:25.482: AAA attr: security-group-tag = 0000-10. *Jan 2 04:33:25.482: AAA attr: environment-data-expiry = 86400. *Jan 2 04:33:25.482: AAA attr: security-group-table = 0001-19. *Jan 2 04:33:25.482: CTS env-data: Receiving AAA attributes CTS_AAA_SLIST slist name(CTSServerList1) received in 1st Access-Accept slist name(CTSServerList1) created CTS_AAA_SECURITY_GROUP_TAG - SGT = 0-10:unicast-unknown CTS_AAA_ENVIRONMENT_DATA_EXPIRY = 86400. CTS_AAA_SGT_NAME_LIST table(0001) received in 1st Access-Accept need a 2nd request for the SGT to SG NAME entries new name(0001), gen(19) CTS_AAA_DATA_END *Jan 2 04:33:25.784: cts_aaa_callback: (CTS env-data SM)AAA req(0x8853E60) response success *Jan 2 04:33:25.784: cts_aaa_context_fragment_cleanup: (CTS env-data SM)attr(0001) *Jan 2 04:33:25.784: AAA attr: Unknown type (450). *Jan 2 04:33:25.784: AAA attr: Unknown type (274). *Jan 2 04:33:25.784: AAA attr: security-group-table = 0001-19. *Jan 2 04:33:25.784: AAA attr: security-group-info = 0-10-00-Unknown. *Jan 2 04:33:25.784: AAA attr: security-group-info = ffff-13-00-ANY. *Jan 2 04:33:25.784: AAA attr: security-group-info = 9-10-00-Auditors. *Jan 2 04:33:25.784: AAA attr: security-group-info = f-32-00-BYOD. *Jan 2 04:33:25.784: AAA attr: security-group-info = 5-10-00-Contractors. *Jan 2 04:33:25.784: AAA attr: security-group-info = 8-10-00-Developers. *Jan 2 04:33:25.784: AAA attr: security-group-info = c-10-00-Development_Servers. *Jan 2 04:33:25.784: AAA attr: security-group-info = 4-10-00-Employees. *Jan 2 04:33:25.784: AAA attr: security-group-info = 6-10-00-Guests. *Jan 2 04:33:25.784: AAA attr: security-group-info = 3-10-00-Network_Services. *Jan 2 04:33:25.784: AAA attr: security-group-info = e-10-00-PCI_Servers. *Jan 2 04:33:25.784: AAA attr: security-group-info = a-23-00-Point_of_Sale_Systems. *Jan 2 04:33:25.784: AAA attr: security-group-info = b-10-00-Production_Servers. *Jan 2 04:33:25.793: AAA attr: security-group-info = 7-10-00-Production_Users. *Jan 2 04:33:25.793: AAA attr: security-group-info = ff-10-00-Quarantined_Systems. *Jan 2 04:33:25.793: AAA attr: security-group-info = d-10-00-Test_Servers. *Jan 2 04:33:25.793: AAA attr: security-group-info = 2-10-00-TrustSec_Devices. *Jan 2 04:33:25.793: AAA attr: security-group-info = 10-24-00-VLAN10. *Jan 2 04:33:25.793: AAA attr: security-group-info = 11-22-00-VLAN20. *Jan 2 04:33:25.793: CTS env-data: Receiving AAA attributes CTS_AAA_SGT_NAME_LIST table(0001) received in 2nd Access-Accept old name(0001), gen(19) new name(0001), gen(19) CTS_AAA_SGT_NAME_INBOUND - SGT = 0-68:unicast-unknown flag (128) sgname (Unknown) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1 Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on CTS_AAA_SGT_NAME_INBOUND - SGT = 65535-68:unicast-default flag (128) sgname (ANY) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1 Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on CTS_AAA_SGT_NAME_INBOUND - SGT = 9-68 flag (128) sgname (Auditors) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1 Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on CTS_AAA_SGT_NAME_INBOUND - SGT = 15-68 flag (128) sgname (BYOD) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1 Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on CTS_AAA_SGT_NAME_INBOUND - SGT = 5-68 flag (128) sgname (Contractors) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1 Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on CTS_AAA_SGT_NAME_INBOUND - SGT = 8-68 flag (128) sgname (Developers) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1 Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on CTS_AAA_SGT_NAME_INBOUND - SGT = 12-68 flag (128) sgname (Development_Servers) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1 Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on CTS_AAA_SGT_NAME_INBOUND - SGT = 4-68 flag (128) sgname (Employees) added name (0001), request (1), receive (1) cts_env_data_aaa_sgt_sgname, na *Jan 2 04:33:25.793: cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 1(env_data_received) *Jan 2 04:33:25.793: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_assessing *Jan 2 04:33:25.793: env_data_assessing_enter: state = ASSESSING *Jan 2 04:33:25.793: cts_aaa_is_fragmented: (CTS env-data SM)NOT-FRAG attr_q(0) *Jan 2 04:33:25.793: env_data_assessing_action: state = ASSESSING *Jan 2 04:33:25.793: cts_env_data_is_complete: FALSE, req(x1085), rec(x1487) *Jan 2 04:33:25.793: cts_env_data_is_complete: TRUE, req(x1085), rec(x1487), expect(x81), complete1(x85), complete2(xB5), complete3(x1485) *Jan 2 04:33:25.793: cts_env_data ASSESSING: during state env_data_assessing, got event 4(env_data_complete) *Jan 2 04:33:25.793: @@@ cts_env_data ASSESSING: env_data_assessing -> env_data_complete *Jan 2 04:33:25.793: env_data_complete_enter: state = COMPLETE *Jan 2 04:33:25.793: env_data_install_action: state = COMPLETE
CTS策略作为RADIUS消息的一部分进行推送,因此runtime-AAA日志记录组件在ISE上设置为调试(Administration > Logging > Debug Log Configuration)并且在交换机上设置为调试之下应足以解决任何与CTS相关的问题:
debug cts coa debug radius
此外,检查3750X交换机上匹配的策略:
GALA#show cts role-based counters Role-based IPv4 counters # '-' in hardware counters field indicates sharing among cells with identical policies From To SW-Denied HW-Denied SW-Permitted HW-Permitted 10 15 5 0 0 0 * * 0 0 815 31 17 15 0 0 0 0 17 16 0 - 0 -
由于CiscobugID CSCuu32958,您无法在3850上使用相同的命令。
版本 | 发布日期 | 备注 |
---|---|---|
1.0 |
14-Feb-2017 |
初始版本 |