Cisco TrustSec VRF-Aware SGT

The Cisco TrustSec VRF-Aware SGT feature allows the device to communicate with the RADIUS servers through the Virtual Routing and Forwarding (VRF) interfaces. This feature allows protected access credential (PAC) and Environment-Data to be requested from the authentication device, Cisco Identity Services Engine (Cisco ISE), when Cisco ISE is in a VRF network.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Cisco TrustSec VRF-Aware SGT

VRF-Aware SGT

Cisco TrustSec uses security group tag (SGT) to ensure that the packets passing through the Cisco TrustSec network can be properly identified and the applied with security and other access control policies.

When Cisco Identity Services Engine (Cisco ISE) is in a Virtual Routing and Forwarding (VRF) network, information on protected access credential (PAC) and Environment-Data is obtained by opening a socket connection with Cisco ISE according to the VRF information. When an interface is configured to be on a VRF network, then the IP-SGT bindings learnt on that interface are added under the specific VRF.

How to Configure Cisco TrustSec VRF-Aware SGT

Configuring AAA and RADIUS for Cisco VRF-Aware SGT


Note

Configure only one source interface on the VRF network using the ip radius source-interface subinterface-name vrf vrf-name command. Configuring more than one source interface will result in packet loss.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa new-model
  4. aaa session-id common
  5. aaa authentication dot1x default group group-name
  6. aaa authorization network default group group-name
  7. aaa authorization network list-name group group-name
  8. aaa server radius dynamic-author
  9. radius server name
  10. address ipv4 hostname [acct-port port | alias name | auth-port port [acct-port port]]
  11. pac key encryption-key
  12. exit
  13. aaa group server radius group-name
  14. server name server-name
  15. ip vrf forwarding vrf-name
  16. exit
  17. cts authorization list network list-name
  18. ip radius source-interface subinterface-name vrf vrf-name
  19. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:


Device(config)# aaa new-model

Enables new RADIUS and AAA access control commands and functions and disables old commands.

Step 4

aaa session-id common

Example:


Device(config)# aaa session-id common

Ensures that all session identification (ID) information that is sent out for a given call will be made identical.

Step 5

aaa authentication dot1x default group group-name

Example:


Device(config)# aaa authentication dot1x default group cts-sg

Specifies the server group used for authentication on interfaces running IEEE 802.1X.

Step 6

aaa authorization network default group group-name

Example:


Device(config)# aaa authorization network default group cts-sg

Specifies the default CTS authorization list for all network-related service requests from the RADIUS server group.

Step 7

aaa authorization network list-name group group-name

Example:


Device(config)# aaa authorization network cts-mlist group cts-sg

Specifies the CTS authorization list name for all network-related service requests from the RADIUS server group.

Step 8

aaa server radius dynamic-author

Example:


Device(config)# aaa server radius dynamic-author

Configures a device as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server.

Step 9

radius server name

Example:


Device(config)# radius server myserver

Specifies a name for the RADIUS server PAC provisioning configuration and enters RADIUS server configuration mode.

Step 10

address ipv4 hostname [acct-port port | alias name | auth-port port [acct-port port]]

Example:


Device(config-radius-server)# address ipv4 10.0.0.1 acct-port 1813 auth-port 1812

Configures the RADIUS server accounting and authentication parameters for PAC provisioning.

  • The hostname argument is the RADIUS server IPv4 address or Domain Name System (DNS) name.

  • The acct-port keyword and port argument specify the UDP port for the RADIUS accounting server for accounting requests. The default port is 1646.

  • The alias keyword and name argument specify an alias for this server. The alias can be an IPv4 address or host name. Up to 8 aliases can be configured for this server.

  • The auth-port keyword and port argument specify the UDP port for RADIUS authentication server. The default port is 1645.

Step 11

pac key encryption-key

Example:


Device(config-radius-server)# pac key 7 mypackey

Specifies the Protected Access Credential (PAC) encryption key. The encryption-key argument can be 0 (specifies that an unencrypted key follows), 6 (specifies that an advanced encryption scheme [AES] encrypted key follows), 7 (specifies that a hidden key follows), or a line specifying the unencrypted (clear-text) server key.

Step 12

exit

Example:


Device(config-radius-server)# exit

Exits RADIUS server configuration mode and returns to global configuration mode.

Step 13

aaa group server radius group-name

Example:


Device(config)# aaa group server radius cts-sg

Specifies a server group and groups different RADIUS server hosts into distinct lists and distinct methods. Enters server-group RADIUS configuration mode.

Step 14

server name server-name

Example:


Device(config-sg-radius)# server name myserver

Configures a RADIUS server for the group server.

Step 15

ip vrf forwarding vrf-name

Example:


Device(config-sg-radius)# ip vrf forwarding vrf-intf

Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication, authorization, and accounting (AAA) RADIUS server group.

Step 16

exit

Example:


Device(config-sg-radius)# exit

Exits server-group RADIUS configuration mode and returns to global configuration mode.

Step 17

cts authorization list network list-name

Example:


Device(config)# cts authorization list cts-mlist

Specifies a list of AAA servers for the CTS seed device to use.

Step 18

ip radius source-interface subinterface-name vrf vrf-name

Example:


Device(config)# ip radius source-interface GigabitEthernet0 vrf vrf-intf

Forces RADIUS to use the IP address of a specified interface per VRF for all outgoing RADIUS packets.

Step 19

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring VRF Connectivity to Cisco ISE

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. vrf forwarding vrf-name
  5. ip address ip-address mask
  6. negotiation auto
  7. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:


Device(config)# interface GigabitEthernet0

Specifies an interface and enters interface configuration mode.

Step 4

vrf forwarding vrf-name

Example:


Device(config-if)# vrf forwarding vrf-intf

Configures a VRF table.

Note 

You can configure VRF forwarding on any VRF-Aware Software Infrastructure (VASI) interface. You need not configure VRF instances on both VASI interfaces.

Step 5

ip address ip-address mask

Example:


Device(config-if)# ip address 10.0.0.1 255.0.0.0

Configures an IP address for an interface.

Step 6

negotiation auto

Example:


Device(config-if)# negotiation auto

Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

Step 7

end

Example:


Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Verifying Cisco TrustSec VRF-Aware SGT

Before you begin

  • Verify the connectivity to Cisco Identity Services Engine (Cisco ISE) through VRF

  • Verify the AAA and RADIUS configuration.

SUMMARY STEPS

  1. enable
  2. show cts pac
  3. show cts environment-data

DETAILED STEPS

Step 1

enable

Enables privileged EXEC mode. Enter your password if prompted.

Example:


Device> enable
Step 2

show cts pac

Displays all the downloaded protected access credential (PAC) information.

Example:

The following sample output from the show cts pac command shows all the downloaded PAC: 

Device# show cts pac

AID: BEF6BDBA77EE27F60C8C3681D72A4889
 PAC-Info:
 PAC-type = Cisco Trustsec
 AID: BEF6BDBA77EE27F60C8C3681D72A4889
 I-ID: SW-3k-1
 A-ID-Info: ise-cts-blr4
 Credential Lifetime: 18:53:53 IST Mar 10 2014
 PAC-Opaque: 000200B00003000100040010BEF6BDBA77EE27F60C8C3681D72A488900060094000301002E7ADBC30C9DA77EA4B9F12E1A7EE6BB000000135316210900093A8006D21C07B00CEEF835B17D522CBE89899AA589F09E0D31DCA27476B260DDB450383B01B410747A85CE9F71C42A580342208C125296C0EE8C63F9C838B06EB5DA725AED2DE2A82ED81E06F99A90B46D634A0DA7C60A005C720CFB6443DAA94BE5CE8C19CEE9CA67A7981D389708048C05B4B6648F
 Refresh timer is set for 00:01:05
Step 3

show cts environment-data

Displays the Cisco TrustSec environment data.

Example:

The following sample output from the show cts environment-data command shows the Cisco TrustSec environment data: 

Device# show cts environment-data

CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
 SGT tag = 3-03:Cat6k_01
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
 *Server: 10.64.67.248, port 1812, A-ID 36B3F575DBA9ED4E782D056231DFF41C
 Status = ALIVE
 auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
 0-c2:Unknown
 2-c2:Cat6k_45
 3-c2:Cat6k_01
 4-c2:4k_active
 5-c2:cat3k_stack
 6-c2:cat3k_33
Environment Data Lifetime = 86400 secs 
Last update time = 01:56:48 UTC Wed Mar 30 2011
Env-data expires in 0:23:56:37 (dd:hr:mm:sec)
Env-data refreshes in 0:23:56:37 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running

Configuration Examples For Cisco TrustSec VRF-Aware SGT

Example: Configuring AAA and RADIUS for Cisco VRF-Aware SGT 


Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa session-id common
Device(config)# aaa authentication dot1x default group cts-sg
Device(config)# aaa authorization network default group cts-sg
Device(config)# aaa authorization network cts-mlist group cts-sg
Device(config)# aaa server radius dynamic-author
Device(config)# radius server myserver
Device(config-radius-server)# address ipv4 10.0.0.1 acct-port 1813 auth-port 1812
Device(config-radius-server)# pac key 7 mypackey
Device(config-radius-server)# exit
Device(config)# aaa group server radius cts-sg 
Device(config-sg-radius)# server name myserver 
Device(config-sg-radius)# ip vrf forwarding vrf-intf 
Device(config-sg-radius)# exit
Device(config)# cts authorization list cts-mlist
Device(config)# ip radius source-interface GigabitEthernet0 vrf vrf-intf
Device(config)# end

Example: Configuring VRF Connectivity to Cisco ISE 


Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet0 
Device(config-if)# vrf forwarding vrf-intf 
Device(config-if)# ip address 10.0.0.1 255.0.0.0 
Device(config-if)# negotiation auto 
Device(config-if)# end

Additional References for Cisco TrustSec VRF-Aware SGT

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Cisco IOS Security commands

Cisco TrustSec configuration

“Cisco TrustSec Support for IOS” chapter in the Cisco TrustSec Configuration Guide

Cisco TrustSec overview

Overview of TrustSec

Cisco TrustSec solution

Cisco TrustSec Security Solution

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Cisco TrustSec VRF-Aware SGT

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for Cisco TrustSec VRF-Aware SGT

Feature Name

Releases

Feature Information

Cisco TrustSec VRF-Aware SGT

Cisco IOS 15.1(2)SY1

The Cisco TrustSec VRF-Aware SGT feature allows the device to communicate with the RADIUS servers through the Virtual Routing and Forwarding (VRF) interfaces. This feature allows protected access credential (PAC) and Environment-Data to be requested from the authentication device, Cisco Identity Services Engine (Cisco ISE), when Cisco ISE is in a VRF network.

The following command was introduced or modified: pac key encryption-key .