By default, Cisco Identity Services Engine (ISE) uses a PAC file transmitted over RADIUS to exchange TrustSec environment data between ISE and the Network Access Devices (NADs). From ISE version 2.7 and above, ISE supports exchanging this information using REST API over HTTPS. Using HTTPS to transfer TrustSec environment data is faster, more reliable, and more secure than using RADIUS.
Requirements
- The communication between ISE and the NAD uses tcp/9603 to transfer TrustSec environment over HTTPS using REST.
- Cisco NADs (switches and routers) must be running software version 16.12.2, 17.1.1 or higher.
- The credentials on each NAD used to authenticate to ISE must be unique.
This post will assume that the basic ISE and TrustSec configuration has been applied and will cover enabling exchanging TrustSec environment data using RESTAPI over HTTPS.
The following software versions were used:
- Cisco Identity Services Engine (ISE) 3.0
- Cisco CSR1000v 17.3.1
Network Access Device Configuration
Create a PKI Trustpoint and import the root certificate
The PKI Trustpoint should import the Root Certificate that is used to sign the identity certificate used by ISE. If you are not using Certificate Revocation, then ensure you disable, as per the command below.
crypto pki trustpoint LAB_PKI enrollment terminal revocation-check none
- Run the command crypto pki authenticate LAB_PKI and when prompted paste the Base 64 encoded CA certificate.
- When prompted type yes to accept the certificate
- Use the command show crypto pki certificates to confirm the CA certificate has successfully been imported.
Define a TrustSec Policy Server
The Policy Server should reference the name of the PKI Trustpoint configured in the previous step. Define each ISE node that is configured for HTTPS.
cts policy-server name ISE address ipv4 192.168.10.11 tls server-trustpoint LAB_PKI
Define the unique CTS username/password
cts policy-server username <username> password <password>
Define the Device ID to be sent to ISE
cts policy-server device-id <unique device id>
Enable downloading of environment data from ISE
cts environment-data enable
Configure AAA Dynamic Author to enable CoA
aaa server radius dynamic-author client 192.168.10.11 server-key <password>
ISE Configuration
- Login to the ISE GUI
- Navigate to Administration > Certificates
- Ensure the certificate used by ISE is issued by the CA authority that has been imported into the Trustpoint on the NAD.
From the output below, we can confirm the Serial Number is the same in the NAD output of the command show crypto pki certificates.
Define Network Access Device
- Navigate to Administration > Network Resources > Network Devices
- Modify an existing NAD or create new
- Enable the RADIUS Shared Secret under RADIUS Authentication Settings
NOTE – the RADIUS Shared Secret defined here is the same as the password defined when defining the aaa server radius dynamic-author.
- Enable the HTTP REST API settings and define the username/password as defined on the switch.
- Under TrustSec Notifications and Updates, tick Send configuration changes to device
- Select using
NOTE – Push notifications and updates relies on the aaa server radius dynamic-author configuration defined on the NAD, in order the NAD to receive the updates.
Enable TrustSec HTTPS Servers
- Navigate to Work Centers > TrustSec > Components > TrustSec Servers > HTTPS Servers
- Click Manage PSN Servers
- Select the ISE PSN server(s) using HTTPS to transfer TrustSec data to the NADs, then click Save.
Enable HTTP Service
- Navigate to Work Centers > TrustSec > Settings > General TrustSec Settings
- Click Enable HTTP Service
Optional
Creating Security Group ACLs and Security Groups are not required to enable exchanging of TrustSec environment data using REST API over HTTPS, but this is the information exchanged, so configuring here will simulate a production environment and help to confirm everything is working correctly.
Create Security Group ACLs (SGACL)
- Navigate to Work Centers > TrustSec > Components > Security Group ACLs
- Click Add
- Create an SGACL, named appropriately, i.e., “DENY_ALL”
- Define the SGACL content, i.e., “deny ip”
- Click Save
Create Security Groups (SGTs)
- Navigate to Work Centers > TrustSec > Components > Security Groups
- Add new SGTs and/or delete some existing SGTs
Testing/Verification
From the CLI run the command show cts policy-server details all. If communication has been successfully established, the Trustpoint chain should be automatically updated. Note the output below includes the FQDN of the ISE server, this FQDN was not defined in our configuration, rather ISE updated this information on the NAD.
Run the command show ctx environment-data to confirm the SGTs have been successfully downloaded. From the output below, we can confirm the SGTs defined in ISE have been downloaded.
Note the environment data refreshes after 86400 seconds (24 hours/1 day). This value is configurable under the NAD settings. The environment data can be manually refreshed from the NAD, using the command cts refresh environment-data.
Run the command show cts role-based permissions to confirm the TrustSec Policy matrix has been downloaded to the NAD. Be aware, the RBACL will be downloaded only f an SGT-IP binding exists on the NAD.
- To update the role-based policies, amend the TrustSec Matrix on the ISE GUI.
- Click the Deploy button
NOTE – The action of clicking Deploy uses the CoA function to push down the updated configuration to the NAD. Therefore, it is important to ensure dynamic-author command is configured on the NAD device and the relevant settings for notifications and updates are configured under the NAD settings in ISE.
Run the command show cts role-based permissions again on the NAD and confirm the updated policy.
NOTE – the policy will only be downloaded if there are SGT-IP bindings for the SGTs active on the NAD.
Debugging can be enabled using the commands debug cts policy-server http all and debug cts policy-server json all. From the output below we can confirm the successful connection, exchange of the certificates and downloading the environment data (SGTs).
References
Refer the links for more information on configuring ISE and TrustSec.
Cisco Catalyst IOS-XE 17.2 Admin Guide for SGACL and Environment Data download over REST