Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2954
Views
0
Helpful
4
Replies

TrustSec - CTS is Disabled

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎01-16-2020 03:20 PM

Test trustsec in my lab.  Catalyst switch 3850 @ 16.6.7.  Client is authenticating via MAB.  Not seeing packets being tagged on the egress of the originating client switch.  CTS environment is populated and port is authorized via ISE.  SGT is assigned. I have CTS role based enforcement enable at the global and port level (but the switch does not indicate it)

 

<snippet from auth session>
Server Policies:
ACS ACL: Test-ACL-5b11bc70
SGT Value: 28

 

When I look at my CTS interface config, it shows disabled.  Is that correct?  How do I get that to say enabled? My switch port has no CTS configuration entries.

 

TestSwitch1#sho cts interface gi 1/0/24
Interface GigabitEthernet1/0/24:
CTS is disabled.

L3 IPM: disabled.

CTS sgt-caching Ingress : Disabled

CTS sgt-caching Egress : Disabled

 

A wireshark capture on the originating port shows an ether type of 0x800 not 0x8909.

 

What am I missing?

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to scamarda

‎01-16-2020 10:21 PM - edited ‎01-16-2020 10:31 PM

From the Configuration Guide I linked, the 'cts manual' command:

"Enables Cisco TrustSec SGT authorization and forwarding on the interface, and enters Cisco TrustSec manual interface configuration mode."

 

The 'cts manual' configuration is required to enable inline tagging on the interface.

It does not statically configure an SGT on the link unless you configure the 'policy static sgt <tag>' option under the (config-if-cts-manual) subconfig.

 

Dot1x Auth and CTS inline tagging should not (and cannot) be enabled on the same interface. Dot1x should only be enabled on switchports that are connected to endpoints. CTS inline tagging should be enabled on the links to upstream/downstream switches to propagate the inline tags.

 

Also, be aware that when you enable 'cts manual' on the interface, you will lose connectivity with the other switch until you enable the 'cts manual' on the connecting interface there. If you're doing this remotely, you need to either have out-of-band access to both switches or carefully plan to enable the more remote switch first.

 

Cheers,

Greg

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-16-2020 03:27 PM

Can you provide the output of show cts Int summary.

 

Is gi1/0/24 your uplink to the next switch, or the port with the client session?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-16-2020 05:04 PM - edited ‎01-16-2020 05:05 PM

Did you configure 'cts manual' on the interface?

You also want to do a 'shut' and 'no shut' on the interface after configuring 'cts manual'

Have a look at the Cisco TrustSec Switch Configuration Guide for comparing your switch configuration.

 

Cheers,

Greg

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-16-2020 09:04 PM

Thanks for the reply.  Not wanting to manually assign an SGT to the port.  The SGT is assigned by ISE.  Looking for the tag value to be propagated by the switch on the uplink port.

 

For reference, it's mutually exclusive:

 

Sw1(config)#int gi 1/0/24
Sw1(config-if)#cts manual
Command rejected (Gi1/0/24): conflict with Dot1x Auth

 

 

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to scamarda

‎01-16-2020 10:21 PM - edited ‎01-16-2020 10:31 PM

From the Configuration Guide I linked, the 'cts manual' command:

"Enables Cisco TrustSec SGT authorization and forwarding on the interface, and enters Cisco TrustSec manual interface configuration mode."

 

The 'cts manual' configuration is required to enable inline tagging on the interface.

It does not statically configure an SGT on the link unless you configure the 'policy static sgt <tag>' option under the (config-if-cts-manual) subconfig.

 

Dot1x Auth and CTS inline tagging should not (and cannot) be enabled on the same interface. Dot1x should only be enabled on switchports that are connected to endpoints. CTS inline tagging should be enabled on the links to upstream/downstream switches to propagate the inline tags.

 

Also, be aware that when you enable 'cts manual' on the interface, you will lose connectivity with the other switch until you enable the 'cts manual' on the connecting interface there. If you're doing this remotely, you need to either have out-of-band access to both switches or carefully plan to enable the more remote switch first.

 

Cheers,

Greg

0 Helpful
Customers Also Viewed These Support Documents