Verify WLC is
added to ISE for Radius and TrustSec. Go to
Devices from ISE main menu.
pre-configured the Network Device page with the following inputs:
Radius Authentication Settings by checking the box
Advance TrustSec Settings > Identification by checking the box for use
Device Authentication Settings, configured password
Any device that
participates in the CTS network requires it to be authenticated and trusted. In
order to facilitate the authentication process new devices connected to CTS
network under goes an enrollment process where in the device obtains the
credentials that is specifically needed for CTS device authentication and
obtain general CTS environment information
For ISE TrustSec
Policy Configuration, go to
> TrustSec from ISE main menu.
Centers>TrustSec> Components, Security Groups and the associated SGT
To create a
SGACL, go to
Components > Security Group ACLs.
Example on how to configure a SGACL is shown below:
Centers>TrustSec>TrustSec Policy and view the created policies. We
have configured a policy to deny employee and contractor from communicating
with each other. Notice that the employee tag is 4 and contractor tag is 5.
These tags will be inherited by clients once they associate to the WLAN.
can be Permit or Deny
the SGACL configuration to deny rule:
Authorization we have configured Authorization rules for employee and
contractor to pass the tags once the clients get authenticated.
Wireless LAN Controller with ISE, go to
>RADIUS>Authentication from WLC GUI main menu and verify that ISE
server is added.
Click on server
index for ISE and verify that PAC Provisioning is 'Enabled' and the PAC
parameters are downloaded from ISE.
TrustSec > General:
configured the same as on ISE
Status shows Complete
Group Table should be populated
Policy and verify the SGT-TAG list to see that the policy is downloaded on
the Policy and you can see the SGACL:
drill down further to see the ACEs per SGACL:
WLANs on WLC, Select Create New from WLANs and click
profile name as POD1-CTS and click
Enable the WLAN.
Servers, select the AAA server which is configured above and clickApply.
enable ISE default settings, the WLC automatically configures the following
settings on the WLAN advance tab:
To test with
client traffic without enforcing SGACL on the AP, follow the below steps:
your client devices, log in as an employee from one client and as a contractor
from a different client.
WLC page, check client details under
Clients for both users and SGT security tag pushed on both.
applications per SGACL, use one device to connect as an employee and other
device as a contractor, and make sure that both clients can ping each other.
Below is an example of ICMP communication from Contractor device to an employee
device (IP: 10.10.40.200).
TrustSec enforcement on a local mode AP, navigate to
Select an Access point
tab and enforce SGACL as shown below.
SXP or inline config on a Flexconnect AP, go to
enforcing "TrustSec" on AP, you should not be able to ping between the two
clients (employee and contractor) as shown below.