TrustSec Troubleshooting on Edge Node Switch in SDA environment
TrustSec Troubleshooting on Edge Node Switch in SDA environment
Before we start with the basics commands used to troubleshoot the TrustSec on the Edge node switch in the SDA environment, let see what this TrustSec is all about.
TrustSec
Cisco TrustSec developed to simplify provisioning and managing of secure access to network services in a campus environment. The policies in TrustSec are group-based that make security policies consistent throughout the network.
 |
| Fig 1.1- Cisco TrustSec |
It simplifies the complex task of maintaining security policies. With TrustSec, wired and wireless policies are common as they are not dependent on network topologies and are defined using groups.
Cisco TrustSec does not simply combine standards-based identity and enforcement models such as IEEE 802.1X and VLAN control, it also includes many advanced features such as flexible authentication, Downloadable Access Control Lists (dACLs), Security Group Tagging (SGT), device profiling, posture assessments, and many others.
Classification
A policy group tag (SGT) is assigned to an endpoint based on rich attributes such as user, device type, device posture status, location, etc. Scalable Group Tag (SGT) is a 16-bit tag assigned by the Cisco ISE to the endpoint using dynamic and static methods.
Dynamic classification is used in the access layer by using dynamic authentication methods like 802.1x, MAB, or WebAuth. Static classification is used on the Data Center switches where servers are connected.
For more in details, Please check the article below
Cisco TrustSec - Simplified Network Access Control Policies
Troubleshooting
We will discuss on the commands used to troubleshoot the TrustSec in Cisco SDA environment.
Command No1
NDNA-Switch1# show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 216-22:TrustSec_Devices
Server List Info:
Installed list: CTSServerList1-000B, 2 server(s):
*Server: 10.10.10.1, port 1812, A-ID 3X0P672A296F212FUEC21S27E4A2579N
Status = DEAD
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.10.20.1, port 1812, A-ID 3X08674A806S217FUEC21C24E4A3549N
Status = DEAD
Security Group Name Table:
0-07:Unknown
3-00:Network_Services
4-04:Employees
5-00:Contractors
7-00:Production_Users
8-00:Developers
9-01:Auditors
10-00:Point_of_Sale_Systems
11-00:Production_Servers
12-00:Development_Servers
13-00:Test_Servers
The above command displays TrustSec environment data, useful for identifying scalable groups pushed to edge node.
Command No2
NDNA-Switch1# show cts role-based sgt-map vrf NDNA-PROD all
%IPv6 protocol is not enabled in VRF NDNA-PROD
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.30.0.1 216 INTERNAL
10.40.0.1 216 INTERNAL
10.50.0.1 216 INTERNAL
IP-SGT Active Bindings Summary
============================================
Total number of INTERNAL bindings = 3
Total number of active bindings = 3
The above command shows IP to SGT mapping in the edge node. An edge node will have mappings for endpoints connected directly or through an AP or extended node.
Command No3
NDNA-Switch1# show cts role-based counters
It provides information on the exit edge node about SGACL being applied.
Command No4
NDNA-Switch1#show cts role-based permissions
It shows SGACL configured in ISE and pushed to the edge device.
