Dear
can we discuss the following tasks CCIE Security v5 tasks 3.5/4.2/4.4,
actually i have issue with task 3.5 wich affect all other task
SW2 is not able to download CTS environmental data
i am sure that switch name and password are same on both side SW/ISE
i am using iron port ios image at my SW
do you have any suggestion.
thank you
4
CCIE Security v5 tasks 3.5/4.2/4.4
Started By
mkaalhamd
, Feb 11 2019 03:01 PM
32 replies to this topic
|
Thanked by 2 Members:
|
,
|
#2
MrR0b0t
-
- Technical Expert
-
- 130 posts
- 8945 thanks
Cisco Technologies Expert.
Posted 11 February 2019 - 04:21 PM
Which IOL version exactly? Did you add CTS credentials on the SW?
"Do not mistake my Generosity for generosity."
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
|
Thanked by 2 Members:
|
,
|
#3
cc1ecisco
-
- Members
-
- 89 posts
- 988 thanks
Advanced Member
Posted 12 February 2019 - 10:14 AM
mkaalhamd, on 11 February 2019 - 03:01 PM, said:
Dear
can we discuss the following tasks CCIE Security v5 tasks 3.5/4.2/4.4,
actually i have issue with task 3.5 wich affect all other task
SW2 is not able to download CTS environmental data
i am sure that switch name and password are same on both side SW/ISE
i am using iron port ios image at my SW
do you have any suggestion.
thank you
can we discuss the following tasks CCIE Security v5 tasks 3.5/4.2/4.4,
actually i have issue with task 3.5 wich affect all other task
SW2 is not able to download CTS environmental data
i am sure that switch name and password are same on both side SW/ISE
i am using iron port ios image at my SW
do you have any suggestion.
thank you
Use the following command on SW2 and SW2 will receive the PAC immediately and environment data will be successful:
ip radius source interface vlan150
#4
MrR0b0t
-
- Technical Expert
-
- 130 posts
- 8945 thanks
Cisco Technologies Expert.
Posted 12 February 2019 - 10:42 AM
cc1ecisco, on 12 February 2019 - 10:14 AM, said:
Use the following command on SW2 and SW2 will receive the PAC immediately and environment data will be successful:
ip radius source interface vlan150
ip radius source interface vlan150
That command will do nothing if the CTS credentials are not added in SW key/credentials repository. This is just to "To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets". And i believe this would be required in case a switch has route to ISE server through more than one interface (not directly connected subnet) so in order to match the NAS IP address defined on ISE for that particular device, one would use this command so that request is sent with source address matching to N/W device config on ISE.
Edited by MrR0b0t, 12 February 2019 - 05:06 PM.
"Do not mistake my Generosity for generosity."
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#5
tonythetiger
-
- Members
-
- 82 posts
- 735 thanks
Advanced Member
Posted 12 February 2019 - 10:50 AM
cc1ecisco, on 12 February 2019 - 10:14 AM, said:
Use the following command on SW2 and SW2 will receive the PAC immediately and environment data will be successful:
ip radius source interface vlan150
ip radius source interface vlan150
Will you recommend the following configuration for the SW2 ?
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list cts-list
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
Edited by tonythetiger, 12 February 2019 - 11:03 AM.
#6
MrR0b0t
-
- Technical Expert
-
- 130 posts
- 8945 thanks
Cisco Technologies Expert.
Posted 12 February 2019 - 11:01 AM
tonythetiger, on 12 February 2019 - 10:50 AM, said:
Will you recommend the following configuration for the SW2 ?
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list ISE-CTS-LIST
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list ISE-CTS-LIST
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
CTS authorization network list do not match between what is defined and what is being authorized under CTS
"Do not mistake my Generosity for generosity."
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#7
cc1ecisco
-
- Members
-
- 89 posts
- 988 thanks
Advanced Member
Posted 12 February 2019 - 02:00 PM
MrR0b0t, on 12 February 2019 - 10:42 AM, said:
That command will do nothing if the CTS credentials are not added in SW key/credentials repository. This is just to "To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets". And i believe this would be required in case a switch has route to ISE server through more than one interface so in order to match the NAS IP address defined on ISE for that particular device, one would use this command so that request is sent with source address matching to N/W device config on ISE.
#8
cc1ecisco
-
- Members
-
- 89 posts
- 988 thanks
Advanced Member
Posted 12 February 2019 - 02:04 PM
tonythetiger, on 12 February 2019 - 10:50 AM, said:
Will you recommend the following configuration for the SW2 ?
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list cts-list
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list cts-list
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
Use the below config and if you face any issue then PM me:
radius server CCIE
add ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name CCIE
!
aaa authorization network default group ISE
aaa authorization network ISE group ISE
!
cts credentials id SW2_P password ccieccie
!
cts authorization list ISE
cts sxp default source-ip 10.100.8.1
cts sxp default password ccie
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local speaker
cts sxp enable
!
ip radius source interface vlan150
Edited by cc1ecisco, 12 February 2019 - 02:05 PM.
#9
MrR0b0t
-
- Technical Expert
-
- 130 posts
- 8945 thanks
Cisco Technologies Expert.
Posted 12 February 2019 - 02:07 PM
cc1ecisco, on 12 February 2019 - 02:00 PM, said:
off course other configuration have to be there - this single command will not make 3.5 work
Sure but my point was that this command is basically useless as far as this lab is concerned because as per network design. SW has only one route to reach ISE so even if you do not add this command, it will still use its VLAN 150 address as source for Radius requests.
"Do not mistake my Generosity for generosity."
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#10
cc1ecisco
-
- Members
-
- 89 posts
- 988 thanks
Advanced Member
Posted 12 February 2019 - 02:08 PM
MrR0b0t, on 12 February 2019 - 02:07 PM, said:
Sure but my point was that this command is basically useless as far as this lab is concerned because as per network design. SW has only one route to reach ISE so even if you do not add this command, it will still use its VLAN 150 address as source for Radius requests.
Edited by cc1ecisco, 12 February 2019 - 02:10 PM.
#11
MrR0b0t
-
- Technical Expert
-
- 130 posts
- 8945 thanks
Cisco Technologies Expert.
Posted 12 February 2019 - 02:21 PM
cc1ecisco, on 12 February 2019 - 02:08 PM, said:
Good luck !!!!!
Nah nah it is okay..No need to edit. I have passed it already. And why go to lab just for this, see i tested it again just now:
https://imgur.com/a/vDjbAuy
Did not use that precious command and see that source IP? That is assigned to VLAN 150. And oh yeah i quickly just copy pasted your commands from above without that "precious command" and expected result.
So try to understand the logic behind command not just blindly use it..mate!
"Do not mistake my Generosity for generosity."
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#12
tonythetiger
-
- Members
-
- 82 posts
- 735 thanks
Advanced Member
Posted 12 February 2019 - 02:21 PM
cc1ecisco, on 12 February 2019 - 02:04 PM, said:
Use the below config and if you face any issue then PM me:
radius server CCIE
add ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name CCIE
!
aaa authorization network default group ISE
aaa authorization network ISE group ISE
!
cts credentials id SW2_P password ccieccie
!
cts authorization list ISE
cts sxp default source-ip 10.100.8.1
cts sxp default password ccie
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local speaker
cts sxp enable
!
ip radius source interface vlan150
radius server CCIE
add ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name CCIE
!
aaa authorization network default group ISE
aaa authorization network ISE group ISE
!
cts credentials id SW2_P password ccieccie
!
cts authorization list ISE
cts sxp default source-ip 10.100.8.1
cts sxp default password ccie
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local speaker
cts sxp enable
!
ip radius source interface vlan150
Is the hostname of the Switch SW2 or SW2_P ?!
I am a bit confused why you need to set the password for cts credentials to "ccieccie" instead of "ccie" ?
Thanks for your help !!
#13
joshhh
-
- Members
-
- 59 posts
- 32 thanks
Advanced Member
Posted 12 February 2019 - 05:31 PM
tonythetiger, on 12 February 2019 - 02:21 PM, said:
Is the hostname of the Switch SW2 or SW2_P ?!
I am a bit confused why you need to set the password for cts credentials to "ccieccie" instead of "ccie" ?
Thanks for your help !!
I am a bit confused why you need to set the password for cts credentials to "ccieccie" instead of "ccie" ?
Thanks for your help !!
###Line cts credentials id SW2_P password ccieccie
The hostname / pass shoud match the settings defined under ‘Advanced TrustSec Settings’ in your ISE.
This is one mandatory step to be able to download the environmental-data and the policy.
###Line cts sxp ...
These commands are here to relay the SGTs to the ASA which is configured as listener and enforcer (the password needs to be the same between the switch and the ASA).
The cts credentials id SW2_P password ccieccie is not needed if the switch is only acting as a SXP Speaker.
#14
cc1ecisco
-
- Members
-
- 89 posts
- 988 thanks
Advanced Member
Posted 12 February 2019 - 09:26 PM
joshhh, on 12 February 2019 - 05:31 PM, said:
###Line cts credentials id SW2_P password ccieccie
The hostname / pass shoud match the settings defined under ‘Advanced TrustSec Settings’ in your ISE.
This is one mandatory step to be able to download the environmental-data and the policy.
###Line cts sxp ...
These commands are here to relay the SGTs to the ASA which is configured as listener and enforcer (the password needs to be the same between the switch and the ASA).
The cts credentials id SW2_P password ccieccie is not needed if the switch is only acting as a SXP Speaker.
The hostname / pass shoud match the settings defined under ‘Advanced TrustSec Settings’ in your ISE.
This is one mandatory step to be able to download the environmental-data and the policy.
###Line cts sxp ...
These commands are here to relay the SGTs to the ASA which is configured as listener and enforcer (the password needs to be the same between the switch and the ASA).
The cts credentials id SW2_P password ccieccie is not needed if the switch is only acting as a SXP Speaker.
Above highlighted is correct.
Edited by cc1ecisco, 12 February 2019 - 09:28 PM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users