

CCIE Security v5 tasks 3.5/4.2/4.4
#1
Posted 11 February 2019 - 03:01 PM
can we discuss the following tasks CCIE Security v5 tasks 3.5/4.2/4.4,
actually i have issue with task 3.5 wich affect all other task
SW2 is not able to download CTS environmental data
i am sure that switch name and password are same on both side SW/ISE
i am using iron port ios image at my SW
do you have any suggestion.
thank you
Thanked by 1 Member:
|
|
#2
Posted 11 February 2019 - 04:21 PM
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
Thanked by 2 Members:
|
|
#3
Posted 12 February 2019 - 10:14 AM
mkaalhamd, on 11 February 2019 - 03:01 PM, said:
can we discuss the following tasks CCIE Security v5 tasks 3.5/4.2/4.4,
actually i have issue with task 3.5 wich affect all other task
SW2 is not able to download CTS environmental data
i am sure that switch name and password are same on both side SW/ISE
i am using iron port ios image at my SW
do you have any suggestion.
thank you
Use the following command on SW2 and SW2 will receive the PAC immediately and environment data will be successful:
ip radius source interface vlan150
#4
Posted 12 February 2019 - 10:42 AM
cc1ecisco, on 12 February 2019 - 10:14 AM, said:
ip radius source interface vlan150
That command will do nothing if the CTS credentials are not added in SW key/credentials repository. This is just to "To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets". And i believe this would be required in case a switch has route to ISE server through more than one interface (not directly connected subnet) so in order to match the NAS IP address defined on ISE for that particular device, one would use this command so that request is sent with source address matching to N/W device config on ISE.
Edited by MrR0b0t, 12 February 2019 - 05:06 PM.
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#5
Posted 12 February 2019 - 10:50 AM
cc1ecisco, on 12 February 2019 - 10:14 AM, said:
ip radius source interface vlan150
Will you recommend the following configuration for the SW2 ?
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list cts-list
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
Edited by tonythetiger, 12 February 2019 - 11:03 AM.
#6
Posted 12 February 2019 - 11:01 AM
tonythetiger, on 12 February 2019 - 10:50 AM, said:
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list ISE-CTS-LIST
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
CTS authorization network list do not match between what is defined and what is being authorized under CTS
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#7
Posted 12 February 2019 - 02:00 PM
MrR0b0t, on 12 February 2019 - 10:42 AM, said:
#8
Posted 12 February 2019 - 02:04 PM
tonythetiger, on 12 February 2019 - 10:50 AM, said:
radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie
aaa group server radius ise-group
server name ISE
ip radius source interface vlan150
aaa authorization network cts-list group ise-group
# cts credentials id SW2 password ccie
# cts authorization list cts-list
# cts sxp enable
# cts sxp default password ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer x.x.x.x source x.x.x.x password default mode local speaker
Thanks
Use the below config and if you face any issue then PM me:
radius server CCIE
add ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name CCIE
!
aaa authorization network default group ISE
aaa authorization network ISE group ISE
!
cts credentials id SW2_P password ccieccie
!
cts authorization list ISE
cts sxp default source-ip 10.100.8.1
cts sxp default password ccie
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local speaker
cts sxp enable
!
ip radius source interface vlan150
Edited by cc1ecisco, 12 February 2019 - 02:05 PM.
#9
Posted 12 February 2019 - 02:07 PM
cc1ecisco, on 12 February 2019 - 02:00 PM, said:
Sure but my point was that this command is basically useless as far as this lab is concerned because as per network design. SW has only one route to reach ISE so even if you do not add this command, it will still use its VLAN 150 address as source for Radius requests.
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#10
Posted 12 February 2019 - 02:08 PM
MrR0b0t, on 12 February 2019 - 02:07 PM, said:
Edited by cc1ecisco, 12 February 2019 - 02:10 PM.
#11
Posted 12 February 2019 - 02:21 PM
cc1ecisco, on 12 February 2019 - 02:08 PM, said:
Nah nah it is okay..No need to edit. I have passed it already. And why go to lab just for this, see i tested it again just now:
https://imgur.com/a/vDjbAuy
Did not use that precious command and see that source IP? That is assigned to VLAN 150. And oh yeah i quickly just copy pasted your commands from above without that "precious command" and expected result.
So try to understand the logic behind command not just blindly use it..mate!
______________________________________________________
-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.
#12
Posted 12 February 2019 - 02:21 PM
cc1ecisco, on 12 February 2019 - 02:04 PM, said:
radius server CCIE
add ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name CCIE
!
aaa authorization network default group ISE
aaa authorization network ISE group ISE
!
cts credentials id SW2_P password ccieccie
!
cts authorization list ISE
cts sxp default source-ip 10.100.8.1
cts sxp default password ccie
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local speaker
cts sxp enable
!
ip radius source interface vlan150
Is the hostname of the Switch SW2 or SW2_P ?!
I am a bit confused why you need to set the password for cts credentials to "ccieccie" instead of "ccie" ?
Thanks for your help !!
#13
Posted 12 February 2019 - 05:31 PM
tonythetiger, on 12 February 2019 - 02:21 PM, said:
I am a bit confused why you need to set the password for cts credentials to "ccieccie" instead of "ccie" ?
Thanks for your help !!
###Line cts credentials id SW2_P password ccieccie
The hostname / pass shoud match the settings defined under ‘Advanced TrustSec Settings’ in your ISE.
This is one mandatory step to be able to download the environmental-data and the policy.
###Line cts sxp ...
These commands are here to relay the SGTs to the ASA which is configured as listener and enforcer (the password needs to be the same between the switch and the ASA).
The cts credentials id SW2_P password ccieccie is not needed if the switch is only acting as a SXP Speaker.
#14
Posted 12 February 2019 - 09:26 PM
joshhh, on 12 February 2019 - 05:31 PM, said:
The hostname / pass shoud match the settings defined under ‘Advanced TrustSec Settings’ in your ISE.
This is one mandatory step to be able to download the environmental-data and the policy.
###Line cts sxp ...
These commands are here to relay the SGTs to the ASA which is configured as listener and enforcer (the password needs to be the same between the switch and the ASA).
The cts credentials id SW2_P password ccieccie is not needed if the switch is only acting as a SXP Speaker.
Above highlighted is correct.
Edited by cc1ecisco, 12 February 2019 - 09:28 PM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users