配置在ISE 2.2的TrustSec多个矩阵
简介
本文描述使用多个TrustSec矩阵和DefCon矩阵在思科身份服务引擎(ISE) 2.2方面。这是在更加好的粒度的ISE介绍的一个新的TrustSec功能2.2在网络。
先决条件
要求
Cisco 建议您了解以下主题:
- 思科TrustSec (CTS)组件基础知识
- Catalyst交换机的CLI配置基础知识
- 与身份服务引擎(ISE)配置的体验
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 身份服务引擎2.2
- Cisco Catalyst交换机3850 03.07.03.E
- Cisco Catalyst交换机3750X 15.2(4)E1
- Windows 7台机器
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
背景信息
在ISE 2.0只有使用一个制作TrustSec矩阵的可能性所有网络设备。ISE 2.1附加特性呼叫能使用测试和实施目的试运行矩阵。在试运行矩阵创建的策略仅应用到用于测验的网络设备。设备的其余仍然使用制作矩阵。一旦演出的矩阵被确认良好工作,所有其它设备可以被移动向它,并且变为新的制作矩阵。
ISE 2.2附有两个新的TrustSec功能:
- 多个矩阵-对网络设备的能力分配不同的矩阵
- DefCon矩阵-此矩阵特别是推送对所有网络设备情况,触发由管理员
使用单个矩阵功能或制作和试运行矩阵功能在ISE 2.2是可能的。
多个矩阵
如镜像所显示,为了使用多个矩阵,您必须启用此选项在工作区> TrustSec >设置>工作进程设置下, :
一旦这启用,您能创建新建的矩阵和稍后分配网络设备到特定矩阵。
DefCon矩阵
DefCon矩阵是特殊矩阵,就绪在任何时间部署。当部署,所有网络设备自动地分配到此矩阵。ISE仍然记住所有网络设备的最后制作矩阵,因此此更改可以在任意时候是被恢复的上一步,当撤销时DefCon。您能定义四个不同的DefCon矩阵:
- DefCon1 -关键
- DefCon2 -严重
- DefCon3 -大量
- DefCon4 -一般
DefCon矩阵可以使用与所有三个工作进程选项的组合:
配置
网络图
配置
为了使用多个矩阵,您必须启用它在工作进程设置下。在本例中,也请启用DefCon矩阵。
1. RADIUS/CTS的基本交换机配置
radius server ISE address ipv4 10.48.17.161 auth-port 1812 acct-port 1813 pac key cisco aaa group server radius ISE server name ISE ip radius source-interface FastEthernet0 ip radius source-interface FastEthernet0 aaa server radius dynamic-author client 10.48.17.161 server-key cisco
aaa new-model aaa authentication dot1x default group ISE aaa accounting dot1x default start-stop group ISE
为了得到CTS信息,您必须建立CTS authorization list :
cts authorization list LIST aaa authorization network LIST group ISE
2. CTS PAC
要接收CTS PAC (受保护的访问凭证)从ISE,您必须配置在交换机的同样凭证和ISE在网络设备的先进的TrustSec配置下:
cts credentials id GALA password cisco
一旦这配置,交换机能下载CTS PAC。一部分它(PAC不透明)发送作为在每个RADIUS请求的AV对对ISE,因此ISE能验证,如果此网络设备的PAC有效:
GALA#show cts pacs
AID: E6796CD7BBF2FA4111AD9FB4FEFB5A50
PAC-Info:
PAC-type = Cisco Trustsec
AID: E6796CD7BBF2FA4111AD9FB4FEFB5A50
I-ID: GALA
A-ID-Info: Identity Services Engine
Credential Lifetime: 17:05:50 CEST Apr 5 2017
PAC-Opaque: 000200B00003000100040010E6796CD7BBF2FA4111AD9FB4FEFB5A50000600940003010012FABE10F3DCBCB152C54FA5BFE124CB00000013586BB31500093A809E11A93189C7BE6EBDFB8FDD15B9B7252EB741ADCA3B2ACC5FD923AEB7BDFE48A3A771338926A1F48141AF091469EE4AFC8C3E92A510BA214A407A33F469282A780E8F50F17A271E92D1FEE1A29ED427B985F9A0E00D6CDC934087716F4DEAF84AC11AA05F7587E898CA908463BDA9EC7E65D827
Refresh timer is set for 11y13w
3. 在交换机的CTS配置。
一旦PAC下载,交换机能请求另外的CTS信息(环境数据和策略) :
GALA#cts refresh environment-data
GALA#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 0-06:Unknown
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.48.17.161, port 1812, A-ID E6796CD7BBF2FA4111AD9FB4FEFB5A50
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0-ce:Unknown
2-ce:TrustSec_Devices
3-ce:Network_Services
4-ce:Employees
5-ce:Contractors
6-ce:Guests
7-ce:Production_Users
8-ce:Developers
9-ce:Auditors
10-ce:Point_of_Sale_Systems
11-ce:Production_Servers
12-ce:Development_Servers
13-ce:Test_Servers
14-ce:PCI_Servers
15-ce:BYOD
255-ce:Quarantined_Systems
Environment Data Lifetime = 86400 secs
Last update time = 07:48:41 CET Mon Jan 2 2006
Env-data expires in 0:23:56:02 (dd:hr:mm:sec)
Env-data refreshes in 0:23:56:02 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
GALA#cts refresh policy GALA#show cts role-based permissions RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
您也许发现没有从ISE下载的策略,原因是CTS实施在交换机没有启用:
cts role-based enforcement cts role-based enforcement vlan-list 1-4094 GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
默认情况下在两输出中,您可能发现默认值- SGTs创建(0, 2-15, 255)和默认Permit ip策略。
4. 在ISE的基本CTS配置。
创建新的安全组标记(SGTs)和在ISE的少量策略为了稍后使用他们。导航对工作区> TrustSec >组件> Security组,单击添加创建新建的SGT :
要创建安全组访问控制表(SGACL)如镜像所显示,流量过滤的,请选择安全组ACL, :
同样地,您能创建其他SGTs和SGACLs。一旦SGTs和SGACLs创建,如镜像所显示,您在CTS策略能配合他们,执行如此导航对工作区> TrustSec > TustSec策略>出口策略>来源树, :
5. 多个矩阵和DefCon配置在ISE。
在本例中,您配置矩阵的ForGALA策略。为了交换在矩阵之间,您能使用下拉菜单。如镜像所显示,为了启用多个矩阵,导航到工作区> TrustSec >设置>工作进程设置和启用多个矩阵和DefCon矩阵, :
当此选项启用时,有默认制作矩阵联机,虽然您可以创建其他矩阵。导航对工作区> TrustSec > TrustSec策略>出口策略>矩阵列出并且单击添加:
有选项复制应该变为一部分的从已经现有矩阵的新的策略。创建两个矩阵-一个3750X交换机的,另一个3850交换机的。一旦矩阵创建,您必须分配网络设备到那些矩阵,默认情况下,因为所有TrustSec启用的网络访问设备分配到制作矩阵。
如镜像所显示,分配NAD,单击分配NAD选项在矩阵列表下,检查您会想要分配矩阵对并且选择从下拉菜单的已创建矩阵的设备并且单击分配, :
您能为其它设备执行同样,跟随由在Assign按钮的单击:
一旦所有更改执行,请点击Close&Send,发送所有更新到设备执行CTS策略刷新为了下载新的。同样地,请创建DefCon矩阵,您能从现有矩阵复制:
最终策略看起来象:
6. SGT分类
有标记的两个选项对客户端分配(请创建IP-SGT映射) :
- 静态-与cts role-based sgt-map Ip_address sgt标记
- 动态-通过dot1x验证由于成功认证, (标记分配)
请使用两个选项这里,两个Windows机器通过dot1x验证得到SGT与静态SGT标记的标记和回环接口。要部署动态映射,请创建末端客户端的授权策略:
要创建静态IP-SGT映射,请使用命令(节目交换机的示例) :
interface Loopback7 ip address 7.7.7.7 255.255.255.0 interface Loopback2 ip address 2.2.2.2 255.255.255.0 cts role-based sgt-map 2.2.2.2 sgt 15 cts role-based sgt-map 7.7.7.7 sgt 10
在成功认证以后,客户端点击与特定SGT标记的授权策略在结果:
GALA#show authentication sessions interface Gi1/0/11 details
Interface: GigabitEthernet1/0/11
MAC Address: 0050.5699.5bd9
IPv6 Address: Unknown
IPv4 Address: 10.0.10.2
User-Name: 00-50-56-99-5B-D9
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Common Session ID: 0A30489C000000120002330D
Acct Session ID: 0x00000008
Handle: 0xCE000001
Current Policy: POLICY_Gi1/0/11
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
SGT Value: 16
Method status list:
Method State
mab Authc Success
您能用show命令cts role-based sgt-map检查所有IP-SGT映射全部,其中您看到每映射(本地来源-通过dot1x验证, CLI -静态分配) :
GALA#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 2.2.2.2 15 CLI 7.7.7.7 10 CLI 10.0.10.2 16 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 3
7. CTS策略下载
一旦交换机有CTS PAC和环境数据下载,能请求CTS策略。交换机不下载所有策略,但是要求仅的一个-流量的策略被注定对已知SGT标记-在节目交换机的情况下,从ISE请求那些策略:
- 流量的策略对SGT 15
- 流量的策略对SGT 10
- 流量的策略对SGT 16
所有策略输出节目交换机的:
GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD: denyIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10: denyIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
交换机得到策略用两种方式:
- 从交换机的CTS刷新:
GALA#cts refresh policy
- 从ISE的手工的推送:
验证
多个矩阵
最终SGT-IP映射和CTS策略在两交换机此示例的:
节目交换机:
GALA#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 2.2.2.2 15 CLI 7.7.7.7 10 CLI 10.0.10.2 16 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 3
GALA#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD:
denyIP-20
IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD:
permitIP-20
IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10:
permitIP-20
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
GALA#show cts rbacl | s permitIP
name = permitIP-20
permit ip
GALA#show cts rbacl | s deny
name = denyIP-20
deny ip
DRARORA交换机:
DRARORA#show cts role-based sgt-map all Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ 10.0.20.3 17 LOCAL 10.10.10.10 10 CLI 15.15.15.15 15 CLI IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 2 Total number of LOCAL bindings = 1 Total number of active bindings = 3
DRARORA#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 17:VLAN20 to group 10:Point_of_Sale_Systems:
permitIP-20
IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD:
permitIP-20
IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD:
permitIP-20
IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 17:VLAN20:
denyIP-20
IPv4 Role-based permissions from group 16:VLAN10 to group 17:VLAN20:
permitIP-20
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
注意到两交换机的策略不同的(从10的同一项策略到15为节目和DRARORA交换机是不同的)。这在节目意味着从SGT 10到15的流量在DRARORA允许,但是阻塞:
DRARORA#ping 15.15.15.15 source Loopback 10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 15.15.15.15, timeout is 2 seconds: Packet sent with a source address of 10.10.10.10 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms GALA#ping 2.2.2.2 source Loopback 7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 7.7.7.7 U.U.U Success rate is 0 percent (0/5)
同样地,从一个窗口,您能访问另一个(SGT 17 - > SGT 16) :
并且另一个方式(SGT 16 - > SGT 17) :
要确认那正确CTS策略应用,检查显示cts基于任务的计数器输出:
GALA#sh cts role-based counters Role-based IPv4 counters # '-' in hardware counters field indicates sharing among cells with identical policies From To SW-Denied HW-Denied SW-Permitted HW-Permitted 17 16 0 0 0 8 17 15 0 - 0 - 10 15 4 0 0 0 * * 0 0 127 26
节目有8允许的数据包(4从ping 17->16和4从ping 16->17)。
DefCon部署
当要求,请部署DefCon矩阵在工作区> TrustSec > TrustSec策略>出口策略>矩阵下列出,检查您希望激活和点击Activate的DefCon矩阵:
一旦DefCon激活,在ISE的菜单如下所示:
并且在交换机修正:
GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 15:BYOD to group 10:Point_of_Sale_Systems: denyIP-20 IPv4 Role-based permissions from group 15:BYOD to group 16:VLAN10: denyIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10: denyIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE DRARORA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 15:BYOD to group 10:Point_of_Sale_Systems: denyIP-20 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 17:VLAN20: permitIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
从SGT 15的流量对SGT 10在两交换机没有允许:
DRARORA#ping 10.10.10.10 source Loopback 15 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: Packet sent with a source address of 15.15.15.15 U.U.U Success rate is 0 percent (0/5) GALA#ping 7.7.7.7 source Loopback 2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 U.U.U Success rate is 0 percent (0/5)
一旦部署再稳定的,您能撤销DefCon,并且交换机请求旧有策略。要撤销DefCon,请导航对工作区> TrustSec > TrustSec策略>出口策略>矩阵列出,检查活动DefCon矩阵并且点击Deactivate :
两项交换请求旧有策略立即:
DRARORA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 17:VLAN20 to group 10:Point_of_Sale_Systems: permitIP-20 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD: permitIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD: permitIP-20 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 17:VLAN20: denyIP-20 IPv4 Role-based permissions from group 16:VLAN10 to group 17:VLAN20: permitIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE GALA#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 10:Point_of_Sale_Systems to group 15:BYOD: denyIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 15:BYOD: permitIP-20 IPv4 Role-based permissions from group 17:VLAN20 to group 16:VLAN10: permitIP-20 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
故障排除
PAC设置
这是成功PAC设置的一部分:
GALA#debug cts provisioning packets GALA#debug cts provisioning events *Jan 2 04:39:05.707: %SYS-5-CONFIG_I: Configured from console by console *Jan 2 04:39:05.707: CTS-provisioning: Starting new control block for server 10.48.17.161: *Jan 2 04:39:05.707: CTS-provisioning: cts_provi_init_socket: Checking for any vrf associated with 10.48.17.161 *Jan 2 04:39:05.707: CTS-provisioning: New session socket: src=10.48.72.156:65242 dst=10.48.17.161:1812 *Jan 2 04:39:05.716: CTS-provisioning: cts_provi_init_socket: Checking for any vrf associated with 10.48.17.161 *Jan 2 04:39:05.716: CTS-provisioning: cts_provi_init_socket: Adding vrf-tableid: 0 to socket *Jan 2 04:39:05.716: CTS-provisioning: New session socket: src=10.48.72.156:65242 dst=10.48.17.161:1812 *Jan 2 04:39:05.716: CTS-provisioning: Sending EAP Response/Identity to 10.48.17.161 *Jan 2 04:39:05.716: CTS-provisioning: OUTGOING RADIUS msg to 10.48.17.161: 1E010EE0: 01010090 64BCBC01 7BEF347B 1E010EF0: 1E32C02E 8402A83D 010C4354 5320636C 1E010F00: 69656E74 04060A30 489C3D06 00000000 1E010F10: 06060000 00021F0E 30303037 37643862 1E010F20: 64663830 1A2D0000 00090127 4141413A 1E010F30: 73657276 6963652D 74797065 3D637473 1E010F40: 2D706163 2D70726F 76697369 6F6E696E 1E010F50: 674F1102 00000F01 43545320 636C6965 1E010F60: 6E745012 73EBE7F5 CDA0CF73 BFE4AFB6 1E010F70: 40D723B6 00 *Jan 2 04:39:06.035: CTS-provisioning: INCOMING RADIUS msg from 10.48.17.161: 1EC68460: 0B0100B5 E4C3C3C1 ED472766 1EC68470: 183F41A9 026453ED 18733634 43504D53 1EC68480: 65737369 6F6E4944 3D306133 30313161 1EC68490: 314C3767 78484956 62414976 37316D59 1EC684A0: 525F4D56 34517741 4C362F69 73517A72 1EC684B0: 7A586132 51566852 79635638 3B343353 1EC684C0: 65737369 6F6E4944 3D766368 72656E65 1EC684D0: 6B2D6973 6532322D 3432332F 32373238 1EC684E0: 32373637 362F3137 37343B4F 1C017400 1EC684F0: 1A2B2100 040010E6 796CD7BB F2FA4111 1EC68500: AD9FB4FE FB5A5050 124B76A2 E7D34684 1EC68510: DD8A1583 175C2627 9F00 *Jan 2 04:39:06.035: CTS-provisioning: Received RADIUS challenge from 10.48.17.161. *Jan 2 04:39:06.035: CTS-provisioning: A-ID for server 10.48.17.161 is "e6796cd7bbf2fa4111ad9fb4fefb5a50" *Jan 2 04:39:06.043: CTS-provisioning: Received TX_PKT from EAP method *Jan 2 04:39:06.043: CTS-provisioning: Sending EAPFAST response to 10.48.17.161 *Jan 2 04:39:06.043: CTS-provisioning: OUTGOING RADIUS msg to 10.48.17.161: <...> *Jan 2 04:39:09.549: CTS-provisioning: INCOMING RADIUS msg from 10.48.17.161: 1EC66C50: 0309002C 1A370BBB 58B828C3 1EC66C60: 3F0D490A 4469E8BB 4F06047B 00045012 1EC66C70: 7ECF8177 E3F4B9CB 8B0280BD 78A14CAA 1EC66C80: 4D *Jan 2 04:39:09.549: CTS-provisioning: Received RADIUS reject from 10.48.17.161. *Jan 2 04:39:09.549: CTS-provisioning: Successfully obtained PAC for A-ID e6796cd7bbf2fa4111ad9fb4fefb5a50
因为PAC设置顺利地,完成RADIUS拒绝预计。
环境数据下载
这显示从交换机的成功的环境数据下载:
GALA#debug cts environment-data
GALA#
*Jan 2 04:33:24.702: CTS env-data: Force environment-data refresh
*Jan 2 04:33:24.702: CTS env-data: download transport-type = CTS_TRANSPORT_IP_UDP
*Jan 2 04:33:24.702: cts_env_data START: during state env_data_complete, got event 0(env_data_request)
*Jan 2 04:33:24.702: cts_aaa_attr_add: AAA req(0x5F417F8)
*Jan 2 04:33:24.702: username = #CTSREQUEST#
*Jan 2 04:33:24.702: cts_aaa_context_add_attr: (CTS env-data SM)attr(GALA)
*Jan 2 04:33:24.702: cts-environment-data = GALA
*Jan 2 04:33:24.702: cts_aaa_attr_add: AAA req(0x5F417F8)
*Jan 2 04:33:24.702: cts_aaa_context_add_attr: (CTS env-data SM)attr(env-data-fragment)
*Jan 2 04:33:24.702: cts-device-capability = env-data-fragment
*Jan 2 04:33:24.702: cts_aaa_req_send: AAA req(0x5F417F8) successfully sent to AAA.
*Jan 2 04:33:25.474: cts_aaa_callback: (CTS env-data SM)AAA req(0x5F417F8) response success
*Jan 2 04:33:25.474: cts_aaa_context_fragment_cleanup: (CTS env-data SM)attr(GALA)
*Jan 2 04:33:25.474: cts_aaa_context_fragment_cleanup: (CTS env-data SM)attr(env-data-fragment)
*Jan 2 04:33:25.474: AAA attr: Unknown type (450).
*Jan 2 04:33:25.474: AAA attr: Unknown type (274).
*Jan 2 04:33:25.474: AAA attr: server-list = CTSServerList1-0001.
*Jan 2 04:33:25.482: AAA attr: security-group-tag = 0000-10.
*Jan 2 04:33:25.482: AAA attr: environment-data-expiry = 86400.
*Jan 2 04:33:25.482: AAA attr: security-group-table = 0001-19.
*Jan 2 04:33:25.482: CTS env-data: Receiving AAA attributes
CTS_AAA_SLIST
slist name(CTSServerList1) received in 1st Access-Accept
slist name(CTSServerList1) created
CTS_AAA_SECURITY_GROUP_TAG - SGT = 0-10:unicast-unknown
CTS_AAA_ENVIRONMENT_DATA_EXPIRY = 86400.
CTS_AAA_SGT_NAME_LIST
table(0001) received in 1st Access-Accept
need a 2nd request for the SGT to SG NAME entries
new name(0001), gen(19)
CTS_AAA_DATA_END
*Jan 2 04:33:25.784: cts_aaa_callback: (CTS env-data SM)AAA req(0x8853E60) response success
*Jan 2 04:33:25.784: cts_aaa_context_fragment_cleanup: (CTS env-data SM)attr(0001)
*Jan 2 04:33:25.784: AAA attr: Unknown type (450).
*Jan 2 04:33:25.784: AAA attr: Unknown type (274).
*Jan 2 04:33:25.784: AAA attr: security-group-table = 0001-19.
*Jan 2 04:33:25.784: AAA attr: security-group-info = 0-10-00-Unknown.
*Jan 2 04:33:25.784: AAA attr: security-group-info = ffff-13-00-ANY.
*Jan 2 04:33:25.784: AAA attr: security-group-info = 9-10-00-Auditors.
*Jan 2 04:33:25.784: AAA attr: security-group-info = f-32-00-BYOD.
*Jan 2 04:33:25.784: AAA attr: security-group-info = 5-10-00-Contractors.
*Jan 2 04:33:25.784: AAA attr: security-group-info = 8-10-00-Developers.
*Jan 2 04:33:25.784: AAA attr: security-group-info = c-10-00-Development_Servers.
*Jan 2 04:33:25.784: AAA attr: security-group-info = 4-10-00-Employees.
*Jan 2 04:33:25.784: AAA attr: security-group-info = 6-10-00-Guests.
*Jan 2 04:33:25.784: AAA attr: security-group-info = 3-10-00-Network_Services.
*Jan 2 04:33:25.784: AAA attr: security-group-info = e-10-00-PCI_Servers.
*Jan 2 04:33:25.784: AAA attr: security-group-info = a-23-00-Point_of_Sale_Systems.
*Jan 2 04:33:25.784: AAA attr: security-group-info = b-10-00-Production_Servers.
*Jan 2 04:33:25.793: AAA attr: security-group-info = 7-10-00-Production_Users.
*Jan 2 04:33:25.793: AAA attr: security-group-info = ff-10-00-Quarantined_Systems.
*Jan 2 04:33:25.793: AAA attr: security-group-info = d-10-00-Test_Servers.
*Jan 2 04:33:25.793: AAA attr: security-group-info = 2-10-00-TrustSec_Devices.
*Jan 2 04:33:25.793: AAA attr: security-group-info = 10-24-00-VLAN10.
*Jan 2 04:33:25.793: AAA attr: security-group-info = 11-22-00-VLAN20.
*Jan 2 04:33:25.793: CTS env-data: Receiving AAA attributes
CTS_AAA_SGT_NAME_LIST
table(0001) received in 2nd Access-Accept
old name(0001), gen(19)
new name(0001), gen(19)
CTS_AAA_SGT_NAME_INBOUND - SGT = 0-68:unicast-unknown
flag (128) sgname (Unknown) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 65535-68:unicast-default
flag (128) sgname (ANY) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 9-68
flag (128) sgname (Auditors) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 15-68
flag (128) sgname (BYOD) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 5-68
flag (128) sgname (Contractors) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 8-68
flag (128) sgname (Developers) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 12-68
flag (128) sgname (Development_Servers) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, name = 0001, req = 1, rcv = 1
Setting SG Name receving bit CTS_ENV_DATA_SGT_NAME_ENTRY on
CTS_AAA_SGT_NAME_INBOUND - SGT = 4-68
flag (128) sgname (Employees) added
name (0001), request (1), receive (1)
cts_env_data_aaa_sgt_sgname, na
*Jan 2 04:33:25.793: cts_env_data WAITING_RESPONSE: during state env_data_waiting_rsp, got event 1(env_data_received)
*Jan 2 04:33:25.793: @@@ cts_env_data WAITING_RESPONSE: env_data_waiting_rsp -> env_data_assessing
*Jan 2 04:33:25.793: env_data_assessing_enter: state = ASSESSING
*Jan 2 04:33:25.793: cts_aaa_is_fragmented: (CTS env-data SM)NOT-FRAG attr_q(0)
*Jan 2 04:33:25.793: env_data_assessing_action: state = ASSESSING
*Jan 2 04:33:25.793: cts_env_data_is_complete: FALSE, req(x1085), rec(x1487)
*Jan 2 04:33:25.793: cts_env_data_is_complete: TRUE, req(x1085), rec(x1487), expect(x81), complete1(x85), complete2(xB5), complete3(x1485)
*Jan 2 04:33:25.793: cts_env_data ASSESSING: during state env_data_assessing, got event 4(env_data_complete)
*Jan 2 04:33:25.793: @@@ cts_env_data ASSESSING: env_data_assessing -> env_data_complete
*Jan 2 04:33:25.793: env_data_complete_enter: state = COMPLETE
*Jan 2 04:33:25.793: env_data_install_action: state = COMPLETE
CTS策略
作为RADIUS消息一部分, CTS策略推送,因此记录组分的运行时间AAA设置调试在ISE (Administration >记录日志>调试日志配置)和在交换机的调试之下应该是满足排除故障与CTS涉及的所有问题:
debug cts coa debug radius
Additionaly,检查什么策略在接通的3750X匹配:
GALA#show cts role-based counters Role-based IPv4 counters # '-' in hardware counters field indicates sharing among cells with identical policies From To SW-Denied HW-Denied SW-Permitted HW-Permitted 10 15 5 0 0 0 * * 0 0 815 31 17 15 0 0 0 0 17 16 0 - 0 -
您不能使用同一on命令3850,由于CiscobugID CSCuu32958。
反餽