此条款描述如何配置在Cisco Secure可适应安全工具(ASA)和思科Catalyst 3750X系列交换机(3750X)的思科TrustSec (CTS)。
为了学习安全组标记(SGTs)和IP地址之间的映射, ASA使用SGT交换协议(SXP)。然后,根据SGT的访问控制列表(ACL)用于为了过滤流量。3750X下载从思科身份服务引擎(ISE)的基于任务的访问控制表(RBACL)策略和根据他们的过滤流量。此条款选派数据包级别为了描述通信如何运行和预计调试。
Cisco 建议您具有以下主题的基础知识:
本文档中的信息基于以下软件和硬件版本:
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
这是通信流:
在成功认证以后, ISE返回SGT和标记对验证会话的3750X捆绑。交换机也学习两个站点的IP地址用IP设备trace命令。交换机然后使用SXP为了发送在SGT和IP地址之间的映射表到ASA。两微软视窗PCs有一个默认路由对ASA的该点。
在ASA收到从被映射对SGT的IP地址后的流量,能使用根据军士的ACL。并且,当您使用3750X作为路由器(两个微软视窗站点的默认网关)时,能过滤根据策略的流量下载从ISE。
这是配置和验证的步骤,其中每一在其自己的部分被选派后在本文:
这是802.1x或MAB的典型配置。RADIUS崔凡吉莱授权(CoA)必要,只有当您使用从ISE时的活动通知。
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization network ise group radius
aaa accounting dot1x default start-stop group radius
!Radius COA
aaa server radius dynamic-author
client 10.48.66.129 server-key cisco
server-key cisco
ip device tracking
interface GigabitEthernet1/0/1
description windowsxp
switchport mode access
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description windows7
switchport mode access
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
radius-server host 10.48.66.129 pac key cisco
radius-server host 10.48.66.129 auth-port 1812
radius-server vsa send accounting
radius-server vsa send authentication
ISE必须有两个网络设备配置在Administration >网络设备下:
对于微软视窗7,使用MAB验证,您必须创建终端标识(MAC地址)在Administration >身份管理>标识>终端下:
对于微软视窗XP,使用802.1x验证,您必须创建用户标识(用户名)在Administration >身份管理>标识> Users下:
使用用户名cisco。配置扩展验证协议保护的EAP的(EAP-PEAP)微软视窗XP与这些凭证。
在ISE,使用默认验证策略(请勿更改此)。第一是MAB验证的策略,并且第二是802.1x :
为了配置授权策略,您必须定义授权配置文件在策略>结果>授权>授权配置文件下。与可下载的ACLs (DACL)的VLAN10-Profile,允许所有流量,使用微软视窗7配置文件:
一相似的配置, VLAN20-Profile,使用微软视窗XP有对VLAN号(20)的例外。
为了配置SGT组(标记)在ISE,请导航对策略>结果> Security组访问> Security组。
为了创建SGACL允许互联网控制消息协议(ICMP)流量,请导航对策略>结果> Security组访问> Security组ACL :
为了创建策略,请导航对策略> Security组访问>出口策略。对于VLAN10和未知VLAN之间的流量或VLAN10或者VLAN20,使用ICMP ACL (permit icmp) :
为了设置授权规则,请导航对策略>授权。对于微软视窗7 (特定MAC地址), VLAN10-Profile,返回VLAN10和DACL和安全配置文件VLAN10与SGT名为VLAN10一起使用。对于微软视窗XP (特定用户名), VLAN20-Profile,返回VLAN 20和DACL和安全配置文件VLAN20与SGT名为VLAN20一起使用。
停止交换机和ASA配置为了他们能接受SGT RADIUS属性。
您必须配置基本CTS设置。在3750X,您必须从应该下载哪些服务器策略指示:
aaa authorization network ise group radius
cts authorization list ise
在ASA,仅AAA服务器与CTS一起是需要的对该服务器的该点:
aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 10.48.66.129
key *****
cts server-group ISE
在CTS网云的每个设备必须验证到认证服务器(ISE)为了由其它设备委托。它通过安全协议(EAP-FAST)方法(RFC 4851)使用扩展验证灵活协议验证此。此方法要求您有PAC传送的带外。此进程在任何RFC也呼叫phase0和没有定义。EAP-FAST的PAC有一个相似的角色作为扩展验证传输层安全的(EAP-TLS)证书。PAC用于为了设立安全隧道(phase1),为在第2阶段的验证是需要的。
设置在3750X的PAC
3750X支持自动PAC设置。一个共享密码在交换机和ISE用于为了下载PAC。在Administration >网络资源>网络设备下的ISE必须配置该密码和ID。选择交换机,并且扩展先进的TrustSec设置部分为了配置:
为了有PAC请使用这些凭证,输入这些命令:
bsns-3750-5#cts credentials id 3750X password ciscocisco
bsns-3750-5#show cts pacs
AID: C40A15A339286CEAC28A50DBBAC59784
PAC-Info:
PAC-type = Cisco Trustsec
AID: C40A15A339286CEAC28A50DBBAC59784
I-ID: 3750X
A-ID-Info: Identity Services Engine
Credential Lifetime: 08:04:40 UTC Sep 25 2013
PAC-Opaque: 000200B00003000100040010C40A15A339286CEAC28A50DBBAC59784000600940003
010094F559DAE0C837D7847F2454CAD7E80B0000001351C8235900093A803D7D427BFB5C6F0FBBDF
7EDF0818C58FECF97F8BDECF1B115FB0240260ADA8C96A46AA2A64C9EA2DB51E0E886768CA2D133D
2468D9D33339204BAA7E4CA2DE8E37FF1EB5BCB343408E9847998E301C26DDC6F91711F631A5B4C7
C2CB09EAB028630A3B22901FE3EF44F66FD019D09D2C46D92283
Refresh timer is set for 2y24w
设置在ASA的PAC
ASA支持手工PAC只设置。这意味着您在ISE必须手工生成它(在网络Devices/ASA) :
然后必须安装文件(例如,与FTP) :
bsns-asa5510-17(config)# cts import-pac ftp://ftp:ftp@10.147.25.80/ASA.pac
password ciscocisco
!PAC Imported Successfully
bsns-asa5510-17(config)# show cts pac
PAC-Info:
Valid until: Jul 04 2014 13:33:02
AID: c40a15a339286ceac28a50dbbac59784
I-ID: ASA
A-ID-Info: Identity Services Engine
PAC-type: Cisco Trustsec
PAC-Opaque:
000200a80003000100040010c40a15a339286ceac28a50dbbac597840006008c000301
0003d64668f2badc76e251683394b3d5690000001351d15dd900093a8044df74b2b71f
e667d7b908db7aeea3229e61462bdb70f46580bef9425011126bbf6c2f4212ccdacf08
c01ddbc7608c3a1ddeb996ba9bfbd1b207281e3edc9ff61b9e800f225dc3f82bd5f794
7e0a86bee8a3d437af93f54e61858bac877c58d3fe0ec6be54b4c75fad23e1fd
在此阶段,两个设备有正确地安装的PAC和自动地启动下载ISE环境数据。此数据基本上是标签和他们的名称。为了触发在ASA的环境刷新,请输入此命令:
bsns-asa5510-17# cts refresh environment-data
为了验证它在ASA (不幸地您看不到特定SGT标记/名称,但是验证的以后),请输入此命令:
bsns-asa5510-17(config)# show cts environment-data
CTS Environment Data
====================
Status: Active
Last download attempt: Successful
Environment Data Lifetime: 86400 secs
Last update time: 05:05:16 UTC Apr 14 2007
Env-data expires in: 0:23:56:15 (dd:hr:mm:sec)
Env-data refreshes in: 0:23:46:15 (dd:hr:mm:sec)
为了验证它在3750X,请触发环境刷新用此命令:
bsns-3750-5#cts refresh environment-data
为了验证结果,请输入此命令:
bsns-3750-5#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 0-01:Unknown
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.48.66.129, port 1812, A-ID C40A15A339286CEAC28A50DBBAC59784
Status = ALIVE flag(0x11)
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins,
deadtime = 20 secs
Security Group Name Table:
0001-60 :
0-47:Unknown
2-47:VLAN10
3-47:VLAN20
4-47:VLAN100
Transport type = CTS_TRANSPORT_IP_UDP
Environment Data Lifetime = 86400 secs
Last update time = 05:33:49 UTC Thu Apr 7 2011
Env-data expires in 0:16:46:50 (dd:hr:mm:sec)
Env-data refreshes in 0:16:46:50 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
这显示所有标记和对应的名称正确地下载。
在3750X有环境数据后,您必须验证SGTs应用给认证的会话。
为了验证,如果微软视窗7正确地验证,请输入此命令:
bsns-3750-5#show authentication sessions interface g1/0/2
Interface: GigabitEthernet1/0/2
MAC Address: 0050.5699.4eb2
IP Address: 192.168.1.200
User-Name: 00-50-56-99-4E-B2
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 10
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
SGT: 0002-0
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80001000001002B67334C
Acct Session ID: 0x00000179
Handle: 0x94000101
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
输出显示VLAN10与SGT 0002和DACL一起使用允许所有流量。
为了验证,如果微软视窗XP正确地验证,请输入此命令:
bsns-3750-5#sh authentication sessions interface g1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: 0050.5699.4ea1
IP Address: 192.168.2.200
User-Name: cisco
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 20
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
SGT: 0003-0
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80001000000FE2B67334C
Acct Session ID: 0x00000177
Handle: 0x540000FF
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
输出显示VLAN 20与SGT 0003和DACL一起使用允许所有流量
IP地址用跟踪功能的IP设备检测。应该为监听的dhcp配置DHCP交换机。然后,在监听的DHCP响应以后,它学习客户端的IP地址。对于一个静态配置的IP地址(类似在本例中),使用arp监听的功能,并且PC必须发送交换机的所有数据包能能检测其IP地址。
对于跟踪的设备,隐藏命令在端口也许是需要的为了激活它:
bsns-3750-5#ip device tracking interface g1/0/1
bsns-3750-5#ip device tracking interface g1/0/2
bsns-3750-5#show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
192.168.1.200 0050.5699.4eb2 10 GigabitEthernet1/0/2 ACTIVE
192.168.2.200 0050.5699.4ea1 20 GigabitEthernet1/0/1 ACTIVE
Total number interfaces enabled: 2
Enabled interfaces:
Gi1/0/1, Gi1/0/2
3750X (不同于ASA)能下载从ISE的策略。在它下载并且强制执行策略前,您必须用这些命令启用它:
bsns-3750-5(config)#cts role-based enforcement
bsns-3750-5(config)#cts role-based enforcement vlan-list 1-1005,1007-4094
如果不启用它,策略下载,但是没有安装和没有使用实施。
为了触发策略刷新,请输入此命令:
bsns-3750-5#cts refresh policy
Policy refresh in progress
为了验证策略从ISE下载,请输入此命令:
bsns-3750-5#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 2:VLAN10 to group Unknown:
ICMP-20
IPv4 Role-based permissions from group 2:VLAN10 to group 2:VLAN10:
ICMP-20
IPv4 Role-based permissions from group 2:VLAN10 to group 3:VLAN20:
ICMP-20
Deny IP-00
输出显示策略的仅必要的部分下载。
在CTS网云,数据包包含源主机的SGT,并且实施做在目的地设备。这意味着数据包从来源转发到最后设备,连接直接地到目的地主机。该设备是问题的实施,因为认识其直接连接的主机SGTs,并且知道有来源的SGT流入数据包应该是否为特定目的地军士允许或拒绝。
此决策根据从ISE下载的策略。
在此方案中,所有策略下载。然而,如果清除微软视窗XP验证会话(SGT=VLAN20),然后没有需要对于交换机下载对应于VLAN20的所有策略(行),因为那儿不从那的无设备SGT连接对交换机。
先进的(故障排除)部分说明3750X如何决定应该下载哪些策略与数据包级别的考试。
ASA不支持军士。有SGT的所有帧由ASA丢弃。所以3750X不能发送SGT经过标记的帧到ASA。反而,使用SXP。此协议允许ASA获得从交换机的信息关于IP地址和军士之间的映射。有该信息, ASA能映射IP地址到SGTs和做出根据SGACL的决策。
为了配置3750X作为扬声器,请输入这些命令:
cts sxp enable
cts sxp default source-ip 192.168.1.10
cts sxp default password cisco
cts sxp connection peer 192.168.1.1 password default mode local
为了配置ASA作为监听程序,请输入这些命令:
cts sxp enable
cts sxp default password *****
cts sxp default source-ip 192.168.1.1
cts sxp connection peer 192.168.1.10 password default mode local listener
为了验证ASA接收映射,请输入此命令:
bsns-asa5510-17# show cts sxp sgt-map ipv4 detail
Total number of IP-SGT mappings : 2
Total number of IP-SGT mappings shown: 2
SGT : 2:VLAN10
IPv4 : 192.168.1.200
Peer IP : 192.168.1.10
Ins Num : 1
Status : Active
Seq Num : 49
SGT : 3:VLAN20
IPv4 : 192.168.2.200
Peer IP : 192.168.1.10
Ins Num : 1
Status : Active
Seq Num : 39
现在,当ASA收到有源IP地址的192.168.1.200时流入数据包,能对待它,好象它来自SGT=2。对于源IP地址192.168.200.2,能对待它,好象它来自SGT=3。同样申请目的IP地址。
这是ASA配置的检查:
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
ACL创建并且应用对内部接口。它允许所有ICMP流量从SGT=3到SGT=2 (呼叫VLAN10) :
access-list inside extended permit icmp security-group tag 3 any security-group
name VLAN10 any
access-group inside in interface inside
如果从与源IP地址的微软视窗XP ping 192.168.2.200 (SGT=3)对微软视窗7用192.168.1.200 (SGT=2)的IP地址, ASA建立连接:
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.200/0
(2:VLAN10) gaddr 192.168.2.200/512 laddr 192.168.2.200/512(3:VLAN20)
当您尝试同样与Telnet时,流量阻塞:
Deny tcp src inside:192.168.2.200/2478(3:VLAN20) dst outside:192.168.1.200/23
(2:VLAN10) by access-group "inside"
有在ASA的更多配置选项。使用安全标记和IP地址来源和目的地是可能的。此规则允许从SGT标记的ICMP回音流量= 3和IP地址192.168.2.200对名为VLAN10和目的地主机地址的SGT标记192.168.1.200 :
access-list inside extended permit icmp security-group tag 3 host 192.168.2.200
security-group name VLAN10 host 192.168.1.200 echo
这可能用对象组也完成:
object-group security SGT-VLAN-10
security-group name VLAN10
object-group security SGT-VLAN-20
security-group tag 3
object-group network host1
network-object host 192.168.1.200
object-group network host2
network-object host 192.168.2.200
object-group service my-icmp-echo
service-object icmp echo
access-list inside extended permit object-group my-icmp-echo
object-group-security SGT-VLAN-20 object-group host2 object-group-security
SGT-VLAN-10 object-group host1
定义在交换机的本地策略也是可能的。然而,此示例从ISE下载的目前的政策。在ASA定义的策略在一个规则允许使用IP地址和SGTs (和用户名从活动目录)。在交换机定义的策略(本地和从ISE)仅允许SGTs。如果在您的规则需要使用IP地址,则推荐在ASA的过滤。
微软视窗XP和微软视窗7之间的ICMP流量测试。对于此,您必须更换从ASA的默认网关到在微软视窗的3750X。3750X有路由接口并且能路由数据包:
interface Vlan10
ip address 192.168.1.10 255.255.255.0
!
interface Vlan20
ip address 192.168.2.10 255.255.255.0
策略从ISE已经下载。为了验证他们,请输入此命令:
bsns-3750-5#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 2:VLAN10 to group Unknown:
ICMP-20
IPv4 Role-based permissions from group 2:VLAN10 to group 2:VLAN10:
ICMP-20
IPv4 Role-based permissions from group 2:VLAN10 to group 3:VLAN20:
ICMP-20
Deny IP-00
从VLAN10的流量(对VLAN20 (MS Windows XP)的微软视窗7)对ICMP-20 ACL被服从,从ISE下载:
bsns-3750-5#show ip access-lists ICMP-20
Role-based IP access list ICMP-20 (downloaded)
10 permit icmp
为了验证ACL,请输入此命令:
bsns-3750-5#show cts rbacl
CTS RBACL Policy
================
RBACL IP Version Supported: IPv4
name = Deny IP-00
IP protocol version = IPV4
refcnt = 2
flag = 0x41000000
stale = FALSE
RBACL ACEs:
deny ip
name = ICMP-20
IP protocol version = IPV4
refcnt = 6
flag = 0x41000000
stale = FALSE
RBACL ACEs:
permit icmp
name = Permit IP-00
IP protocol version = IPV4
refcnt = 2
flag = 0x41000000
stale = FALSE
RBACL ACEs:
permit ip
为了验证SGT映射确保,从两台主机的流量正确地被标记,请输入此命令:
bsns-3750-5#show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
192.168.1.200 2 LOCAL
192.168.2.200 3 LOCAL
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL bindings = 2
Total number of active bindings = 2
从微软视窗7 (SGT=2)的ICMP对微软视窗XP (SGT=3)良好工作与ACL ICMP-20。这通过检查计数器验证从2的流量到3 (15允许的数据包) :
bsns-3750-5#show cts role-based counters
Role-based IPv4 counters
# '-' in hardware counters field indicates sharing among cells with identical
policies
From To SW-Denied HW-Denied SW-Permitted HW-Permitted
2 0 0 0 1695 224
2 2 0 - 0 -
* * 0 0 133258 132921
2 3 0 0 0 15
在您尝试使用Telnet计数器后,已拒绝数据包增加(在ICMP-20 ACL没有允许) :
bsns-3750-5#show cts role-based counters
Role-based IPv4 counters
# '-' in hardware counters field indicates sharing among cells with identical
policies
From To SW-Denied HW-Denied SW-Permitted HW-Permitted
2 0 0 0 1695 224
2 2 0 - 0 -
* * 0 0 133281 132969
2 3 0 2 0 15
当您有与日志关键字的ACL条目(定义在ISE)时,对应的信息包详细信息,并且采取的行动在与日志关键字的所有ACL被记录正如。
参考验证程序的各自的配置部分。
当您使用自动PAC设置时,问题也许出现。切记使用pac关键字RADIUS服务器。使用Microsoft的挑战握手验证协议(EAP-MSCHAPv2)验证,设置在3750X的自动PAC以与内在方法的可扩展的认证协议使用EAP-FAST方法。当您调试,您看到是被使用EAP-FAST协商的部分为了构建安全隧道,以已配置的ID和密码使用EAP-MSCHAPv2验证的多个RADIUS消息。
第一个RADIUS请求使用=cts-pac-provisioning AAA的服务类型为了通知ISE这是PAC请求。
bsns-3750-5#debug cts provisioning events
bsns-3750-5#debug cts provisioning packets
*Mar 1 09:55:11.997: CTS-provisioning: New session socket: src=
10.48.66.109:57516 dst=10.48.66.129:1645
*Mar 1 09:55:11.997: CTS-provisioning: Sending EAP Response/Identity to
10.48.66.129
*Mar 1 09:55:11.997: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:11.997: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:11.997: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.006: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.006: CTS-provisioning: Sending EAPFAST response to
10.48.66.129
*Mar 1 09:55:12.006: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.106: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.115: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.744: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.744: CTS-provisioning: Sending EAPFAST response to
10.48.66.129
*Mar 1 09:55:12.744: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.844: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.844: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.853: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.853: CTS-provisioning: Sending EAPFAST response to 10.48.66.129
*Mar 1 09:55:12.853: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.853: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.861: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.861: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.861: CTS-provisioning: Sending EAPFAST response to 10.48.66.129
*Mar 1 09:55:12.861: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.878: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.878: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.886: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.886: CTS-provisioning: Sending EAPFAST response to 10.48.66.129
*Mar 1 09:55:12.886: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.895: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.895: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.895: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.895: CTS-provisioning: Sending EAPFAST response to 10.48.66.129
*Mar 1 09:55:12.903: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.912: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.912: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.920: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.920: CTS-provisioning: Sending EAPFAST response to 10.48.66.129
*Mar 1 09:55:12.920: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.928: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.928: CTS-provisioning: Received RADIUS challenge from
10.48.66.129.
*Mar 1 09:55:12.970: CTS-pac-refresh: PAC C40A15A339286CEAC28A50DBBAC59784
refresh timer has been set for 20y30w
*Mar 1 09:55:12.970: CTS-provisioning: Ignoring key data.
*Mar 1 09:55:12.979: CTS-provisioning: Received TX_PKT from EAP method
*Mar 1 09:55:12.979: CTS-provisioning: Sending EAPFAST response to 10.48.66.129
*Mar 1 09:55:12.979: CTS-provisioning: OUTGOING RADIUS msg to 10.48.66.129:
*Mar 1 09:55:12.995: CTS-provisioning: INCOMING RADIUS msg from 10.48.66.129:
*Mar 1 09:55:12.995: CTS-provisioning: Received RADIUS reject from 10.48.66.129.
*Mar 1 09:55:12.995: CTS-provisioning: Successfully obtained PAC for A-ID
c40a15a339286ceac28a50dbbac59784
*Mar 1 09:55:12.995: CTS-provisioning: cts_provi_server_cleanup: 10.48.66.129
*Mar 1 09:55:12.995: CTS-provisioning: work complete, process terminating.
RADIUS拒绝在输出结束时预计,因为您已经已接收PAC和没有跟随与进一步认证过程。
切记PAC为与ISE的其他通信要求。但是,如果没有它,交换机仍然尝试环境或策略刷新,当配置时。然后,它不附加CTSopaqueue (PAC)在RADIUS请求,导致失败。
如果您的PAC密钥是错误的,在ISE的此错误消息显示:
The Message-Authenticator RADIUS attribute is invalid
您也看到从调试(设置调试的cts的此输出+ debug radius)在交换机,如果您的PAC密钥是错误的:
Apr 20 10:07:11.768: CTS-provisioning: Sending EAP Response/Identity t
Apr 20 10:07:15.325: RADIUS(0000024B): Request timed out!
Apr 20 10:07:15.325: RADIUS: No response from (10.62.84.224:1645,1646) for
id 1645/37
如果使用现代RADIUS服务器规则,这显示:
radius server KRK-ISE
address ipv4 10.62.84.224 auth-port 1645 acct-port 1646
pac key CISCO
在成功PAC设置以后,此在ISE的显示:
环境刷新用于为了从ISE得到基本数据,包括SGT编号和名称。数据包级别显示它只是三RADIUS请求和答复与属性。
对于第一请求,交换机接收CTSServerlist名称。对于第二个,它接收该列表的详细信息,并且对于最后一个,接收与标记和名称的所有SGTs :
您看到默认SGT 0,自定义定义的ffff,并且两:SGT标记2被命名VLAN10,并且SGT标记3被命名VLAN20。
在3750X,您应该为所有三RADIUS答复看到调试和对应的列表、列表详细信息和特定SGT在列表里面:
bsns-3750-5#debug cts environment-data all
*Mar 1 10:05:07.454: CTS env-data: cleanup mcast SGT table
*Mar 1 10:05:18.057: CTS env-data: Force environment-data refresh
*Mar 1 10:05:18.057: CTS env-data: download transport-type =
CTS_TRANSPORT_IP_UDP
*Mar 1 10:05:18.057: cts_env_data START: during state env_data_complete,
got event 0(env_data_request)
*Mar 1 10:05:18.057: @@@ cts_env_data START: env_data_complete ->
env_data_waiting_rsp
*Mar 1 10:05:18.057: env_data_waiting_rsp_enter: state = WAITING_RESPONSE
*Mar 1 10:05:18.057: env_data_request_action: state = WAITING_RESPONSE
*Mar 1 10:05:18.057: cts_env_data_is_complete: FALSE, req(x0), rec(x0),
expect(x81), complete1(x85), complete2(xB5), complete3(x28B5)
*Mar 1 10:05:18.057: cts_aaa_req_setup: (CTS env-data)Private group appears DEAD,
attempt public group
*Mar 1 10:05:18.057: cts_aaa_req_setup: (CTS env-data)CTS_TRANSPORT_IP_UDP
*Mar 1 10:05:18.057: cts_aaa_req_setup: (CTS env-data)AAA req(x7C3DF10)
*Mar 1 10:05:18.057: cts_aaa_attr_add: AAA req(0x7C3DF10)
*Mar 1 10:05:18.057: username = #CTSREQUEST#
*Mar 1 10:05:18.057: cts-environment-data = 3750X
*Mar 1 10:05:18.057: cts_aaa_req_send: AAA req(0x7C3DF10) successfully sent to AAA.
*Mar 1 10:05:18.083: cts_aaa_callback: (CTS env-data)AAA req(0x7C3DF10)
response success
*Mar 1 10:05:18.083: AAA attr: Unknown type (447).
*Mar 1 10:05:18.083: AAA attr: Unknown type (220).
*Mar 1 10:05:18.083: AAA attr: Unknown type (275).
*Mar 1 10:05:18.083: AAA attr: server-list = CTSServerList1-0001.
*Mar 1 10:05:18.083: AAA attr: security-group-tag = 0000-00.
*Mar 1 10:05:18.083: AAA attr: environment-data-expiry = 86400.
*Mar 1 10:05:18.083: AAA attr: security-group-table = 0001-5.
*Mar 1 10:05:18.083: CTS env-data: Receiving AAA attributes
CTS_AAA_SLIST
slist name(CTSServerList1) received in 1st Access-Accept
slist name(CTSServerList1) created
CTS_AAA_SECURITY_GROUP_TAG - SGT = unicast-unknown-00
CTS_AAA_ENVIRONMENT_DATA_EXPIRY = 86400.
CTS_AAA_SGT_NAME_LIST
table(0001) received in 1st Access-Accept
old name(), gen()
new name(0001), gen(50)
CTS_AAA_DATA_END
*Mar 1 10:05:18.083: cts_env_data WAITING_RESPONSE: during state
env_data_waiting_rsp, got event 1(env_data_received)
*Mar 1 10:05:18.083: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp ->
env_data_assessing
*Mar 1 10:05:18.083: env_data_assessing_enter: state = ASSESSING
*Mar 1 10:05:18.083: env_data_assessing_action: state = ASSESSING
*Mar 1 10:05:18.083: cts_env_data_is_complete: FALSE, req(x1089), rec(xC83),
expect(x28B5), complete1(x85), complete2(xB5), complete3(x28B5)
*Mar 1 10:05:18.083: cts_env_data ASSESSING: during state env_data_assessing,
got event 3(env_data_incomplete)
*Mar 1 10:05:18.083: @@@ cts_env_data ASSESSING: env_data_assessing ->
env_data_waiting_rsp
*Mar 1 10:05:18.083: env_data_waiting_rsp_enter: state = WAITING_RESPONSE
*Mar 1 10:05:18.083: env_data_request_action: state = WAITING_RESPONSE
*Mar 1 10:05:18.083: cts_env_data_is_complete: FALSE, req(x1089), rec(xC83),
expect(x28B5), complete1(x85), complete2(xB5), complete3(x28B5)
*Mar 1 10:05:18.083: cts_aaa_req_setup: (CTS env-data)Private group appears DEAD,
attempt public group
*Mar 1 10:05:18.083: cts_aaa_req_setup: (CTS env-data)CTS_TRANSPORT_IP_UDP
*Mar 1 10:05:18.083: cts_aaa_req_setup: (CTS env-data)AAA req(x792FFD0)
*Mar 1 10:05:18.083: cts_aaa_attr_add: AAA req(0x792FFD0)
*Mar 1 10:05:18.091: username = #CTSREQUEST#
*Mar 1 10:05:18.091: cts-server-list = CTSServerList1
*Mar 1 10:05:18.091: cts_aaa_req_send: AAA req(0x792FFD0) successfully sent to AAA.
*Mar 1 10:05:18.099: cts_aaa_callback: (CTS env-data)AAA req(0x792FFD0)
response success
*Mar 1 10:05:18.099: AAA attr: Unknown type (447).
*Mar 1 10:05:18.099: AAA attr: Unknown type (220).
*Mar 1 10:05:18.099: AAA attr: Unknown type (275).
*Mar 1 10:05:18.099: AAA attr: server-list = CTSServerList1-0001.
*Mar 1 10:05:18.099: AAA attr: server = c40a15a339286ceac28a50dbbac59784:
10.48.66.129:1812.
*Mar 1 10:05:18.099: CTS env-data: Receiving AAA attributes
CTS_AAA_SLIST
2nd Access-Accept slist name(CTSServerList1), gen(0001)
CTS_AAA_SERVERS
server (c40a15a339286ceac28a50dbbac59784:10.48.66.129:1812) added
CTS_AAA_DATA_END
*Mar 1 10:05:18.099: cts_env_data WAITING_RESPONSE: during state
env_data_waiting_rsp, got event 1(env_data_received)
*Mar 1 10:05:18.099: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp ->
env_data_assessing
*Mar 1 10:05:18.099: env_data_assessing_enter: state = ASSESSING
*Mar 1 10:05:18.099: env_data_assessing_action: state = ASSESSING
*Mar 1 10:05:18.099: cts_env_data_is_complete: FALSE, req(x108D), rec(xC87),
expect(x28B5), complete1(x85), complete2(xB5), complete3(x28B5)
*Mar 1 10:05:18.099: cts_env_data ASSESSING: during state env_data_assessing,
got event 3(env_data_incomplete)
*Mar 1 10:05:18.099: @@@ cts_env_data ASSESSING: env_data_assessing ->
env_data_waiting_rsp
*Mar 1 10:05:18.099: env_data_waiting_rsp_enter: state = WAITING_RESPONSE
*Mar 1 10:05:18.099: env_data_request_action: state = WAITING_RESPONSE
*Mar 1 10:05:18.099: cts_env_data_is_complete: FALSE, req(x108D), rec(xC87),
expect(x28B5), complete1(x85), complete2(xB5), complete3(x28B5)
*Mar 1 10:05:18.099: cts_aaa_req_setup: (CTS env-data)Using private server group
*Mar 1 10:05:18.099: cts_aaa_req_setup: (CTS env-data)CTS_TRANSPORT_IP_UDP
*Mar 1 10:05:18.099: cts_aaa_req_setup: (CTS env-data)AAA req(x7A6C4AC)
*Mar 1 10:05:18.099: cts_aaa_attr_add: AAA req(0x7A6C4AC)
*Mar 1 10:05:18.099: username = #CTSREQUEST#
*Mar 1 10:05:18.099: cts-security-group-table = 0001
*Mar 1 10:05:18.099: cts_aaa_req_send: AAA req(0x7A6C4AC) successfully sent to AAA.
*Mar 1 10:05:18.108: cts_aaa_callback: (CTS env-data)AAA req(0x7A6C4AC)
response success
*Mar 1 10:05:18.108: AAA attr: Unknown type (447).
*Mar 1 10:05:18.108: AAA attr: Unknown type (220).
*Mar 1 10:05:18.108: AAA attr: Unknown type (275).
*Mar 1 10:05:18.108: AAA attr: security-group-table = 0001-5.
*Mar 1 10:05:18.108: AAA attr: security-group-info = 0-0-00-Unknown.
*Mar 1 10:05:18.108: AAA attr: security-group-info = ffff-0-00-ANY.
*Mar 1 10:05:18.108: AAA attr: security-group-info = 2-0-00-VLAN10.
*Mar 1 10:05:18.108: AAA attr: security-group-info = 3-0-00-VLAN20.
*Mar 1 10:05:18.108: CTS env-data: Receiving AAA attributes
CTS_AAA_SGT_NAME_LIST
table(0001) received in 2nd Access-Accept
old name(0001), gen(50)
new name(0001), gen(50)
CTS_AAA_SGT_NAME_INBOUND - SGT = unicast-unknown-00
flag (128) server name (Unknown) added
name (0001), request (1), receive (1)
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = unicast-default-00
flag (128) server name (ANY) added
name (0001), request (1), receive (1)
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 2-00
flag (128) server name (VLAN10) added
name (0001), request (1), receive (1)
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 3-00
flag (128) server name (VLAN20) added
name (0001), request (1), receive (1)
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_DATA_END
*Mar 1 10:05:18.108: cts_env_data WAITING_RESPONSE: during state
env_data_waiting_rsp, got event 1(env_data_received)
*Mar 1 10:05:18.108: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp ->
env_data_assessing
*Mar 1 10:05:18.108: env_data_assessing_enter: state = ASSESSING
*Mar 1 10:05:18.108: env_data_assessing_action: state = ASSESSING
*Mar 1 10:05:18.116: cts_env_data_is_complete: TRUE, req(x2085), rec(x2C87),
expect(x81), complete1(x85), complete2(xB5), complete3(x28B5)
*Mar 1 10:05:18.116: cts_env_data ASSESSING: during state env_data_assessing,
got event 4(env_data_complete)
*Mar 1 10:05:18.116: @@@ cts_env_data ASSESSING: env_data_assessing ->
env_data_complete
*Mar 1 10:05:18.116: env_data_complete_enter: state = COMPLETE
*Mar 1 10:05:18.116: env_data_install_action: state = COMPLETE
交换机仅支持策略刷新。它类似于环境刷新。这些是RADIUS请求并且接受。
交换机请求在缺省列表内的所有ACL。然后,对于不最新的每个ACL (或不存在),它发送另一请求得到详细信息。
这是示例答复,当您请求ICMP-20 ACL时:
切记您必须安排cts role-based enforcement配置为了强制执行该ACL。
调试指示是否有更改(根据gen ID)。若需要如果那样,您能卸载旧有策略,并且安装新的。这包括ASIC编程(硬件支持)。
bsns-3750-5#debug cts all
Mar 30 02:39:37.151: CTS authz entry: peer(Unknown-2) Receiving AAA attributes
rcv rbacl list: flags: req(81)rcv(0)wait(80)prev(0)install(880)
- SGT = 2-01:VLAN10
- SGT = 2-01:VLAN10
current arg_cnt=8, expected_num_args=11
3rd Access-Accept rbacl received name(ICMP), gen(20)
received_policyp->sgt(2-01:VLAN10)
existing sgt_policy(73FFDB4) sgt(2-01:VLAN10)
RBACL name(ICMP-20)flag(40000000) already exists
acl_listp(740266C) old_acl_infop(0),exist_rbacl_type(0)
CTS_AAA_AUTHORIZATION_EXPIRY = 86400.
CTS_AAA_DATA_END
Mar 30 02:39:37.176: cts_authz_entry_complete_action: Policy download complete -
peer(Unknown-2) SGT(2-01:VLAN10) status(RBACL-POLICY SUCCEEDED)
Mar 30 02:39:37.176: cts_authz_rbacl_uninstall_cb:
Mar 30 02:39:37.176: uninstall cb_ctx:
Mar 30 02:39:37.176: session_hdl = F1000003
Mar 30 02:39:37.176: sgt_policyp = 73FFDB4, sgt=(2-01:VLAN10), magic(BABECABB)
Mar 30 02:39:37.176: ip_version = IPV6
Mar 30 02:39:37.176: src-or-dst = BOTH
Mar 30 02:39:37.176: wait_rbm_install_ip_ver(0)
Mar 30 02:39:37.176: wait_rbm_uninstall_ip_ver(C0000000)
Mar 30 02:39:37.176: cts_authz_rbacl_uninstall_cb:
Mar 30 02:39:37.176: uninstall cb_ctx:
Mar 30 02:39:37.176: session_hdl = F1000003
Mar 30 02:39:37.176: sgt_policyp = 73FFDB4, sgt=(2-01:VLAN10), magic(BABECABB)
Mar 30 02:39:37.176: ip_version = IPV4
Mar 30 02:39:37.176: src-or-dst = BOTH
Mar 30 02:39:37.176: wait_rbm_install_ip_ver(0)
Mar 30 02:39:37.176: wait_rbm_uninstall_ip_ver(40000000)
Mar 30 02:39:37.210: install cb_ctx:
Mar 30 02:39:37.210: session_hdl = F1000003
Mar 30 02:39:37.210: sgt_policyp = 73FFDB4, sgt=(2-01:VLAN10), magic(BABECABB)
Mar 30 02:39:37.210: ip_version = IPV6
Mar 30 02:39:37.210: src-or-dst = SRC
Mar 30 02:39:37.210: wait_rbm_install_ip_ver(C0000000)
Mar 30 02:39:37.210: wait_rbm_uninstall_ip_ver(0)
Mar 30 02:39:37.210: cts_authz_rbacl_install_cb: Waiting for more RBM callback
for remaining IP version(40000000) RBACL policy(73FFDB4) for SGT(2-01:VLAN10)
flag(41400001)
Mar 30 02:39:37.210: cts_authz_rbacl_install_cb:
Mar 30 02:39:37.210: install cb_ctx:
Mar 30 02:39:37.210: session_hdl = F1000003
Mar 30 02:39:37.210: sgt_policyp = 73FFDB4, sgt=(2-01:VLAN10), magic(BABECABB)
Mar 30 02:39:37.210: ip_version = IPV4
Mar 30 02:39:37.210: src-or-dst = SRC
Mar 30 02:39:37.210: wait_rbm_install_ip_ver(40000000)
Mar 30 02:39:37.210: wait_rbm_uninstall_ip_ver(0)
Mar 30 02:39:37.210: cts_authz_rbacl_install_cb: Program RBACL policy(73FFDB4)
for SGT(2-01:VLAN10) flag(41400001) success
SXP更新由查找设备的IP地址的IP设备跟踪代码触发。然后,短的消息对等(SMPP)协议用于为了发送更新。这使用TCP选项19验证,是一样象边界网关协议(BGP)。SMPP有效负载没有加密。Wireshark没有SMPP有效负载的适当的编码器,但是查找数据在它里面是容易的:
这是在3750X的一些调试,在IP设备跟踪查找微软视窗7后的IP地址:
bsns-3750-5#debug cts sxp message
bsns-3750-5#debug cts sxp internal
bsns-3750-5#debug cts sxp conn
bsns-3750-5#debug cts sxp mdb
bsns-3750-5#debug cts sxp error
Apr 7 00:39:06.874: CTS-SXP-CONN:sxp_process_message_event = CTS_SXPMSG_REQUEST
Apr 7 00:39:06.874: CTS-SXP-CONN:sxp_process_request CTS_SXPMSG_REQ_CONN_NVGEN
Apr 7 00:39:06.874: CTS-SXP-CONN:cts_get_next_sxpconn_cli
Apr 7 00:39:06.874: CTS-SXP-CONN:cts_get_next_sxpconn_cli
Apr 7 00:39:06.874: CTS-SXP-INTNL:sxp_process_request boolean set
Apr 7 00:39:06.874: CTS-SXP-INTNL:sxp_send_request set boolean after
Apr 7 00:40:05.418: CTS-SXP-CONN:is_cts_sxp_rf_active
Apr 7 00:40:05.418: CTS-SXP-MDB:sxp_export_ipsgt_change 192.168.1.200/32 add 1
这是在ASA的对应的调试:
bsns-asa5510-17# debug cts sxp all
%ASA-7-776018: CTS SXP: Binding 192.168.1.200->2:VLAN10 from peer 192.168.1.10
(instance 1) added in SXP database.
%ASA-7-776019: CTS SXP: Binding 192.168.1.200->2:VLAN10 added. Update binding
manager.
%ASA-6-776251: CTS SGT-MAP: Binding 192.168.1.200->2:VLAN10 from SXP added to
binding manager.
%ASA-7-776014: CTS SXP: SXP received binding forwarding request (add) binding
192.168.1.200->2:VLAN10.
为了看到在ASA的更多调试,您能启用级调试的冗余:
bsns-asa5510-17# debug cts condition level detail
debug cts condition level detail is enable
在ASA正确地安装SXP后接收的SGT映射,安全组ACL应该良好工作。当您遇到与映射时的问题,请输入:
bsns-asa5510-17# debug cts sgt-map
与的ACL小组作业作为为IP地址或用户标识执行的同一。日志显示问题和点击ACL的确切的条目。
这是从微软视窗XP的ping到正确地显示该数据包跟踪程序工作的微软视窗7 :
bsns-asa5510-17# packet-tracer input inside icmp 192.168.2.200 8 0 192.168.1.200
detailed
<output ommitted>
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit icmp security-group tag 3 any security-group
name VLAN10 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaaf2ae80, priority=13, domain=permit, deny=false
hits=185, user_data=0xaa2f5040, cs_id=0x0, use_real_addr, flags=0x0,
protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=3:VLAN20
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=2:VLAN10, dscp=0x0
input_ifc=inside, output_ifc=any
<output ommitted>