Jump to content


4

CCIE Security v5 tasks 3.5/4.2/4.4


32 replies to this topic

#1 mkaalhamd

mkaalhamd

    Advanced Member

  • Members
  • PipPipPip
  • 64 posts
  • 232 thanks

Posted 11 February 2019 - 03:01 PM

Dear
can we discuss the following tasks CCIE Security v5 tasks 3.5/4.2/4.4,
actually i have issue with task 3.5 wich affect all other task
SW2 is not able to download CTS environmental data
i am sure that switch name and password are same on both side SW/ISE
i am using iron port ios image at my SW
do you have any suggestion.


thank you

Thanked by 2 Members:
PIYUSHKATARIA9 , cc1ecisco

#2 MrR0b0t

MrR0b0t

    Cisco Technologies Expert.

  • Technical Expert
  • PipPipPip
  • 130 posts
  • 8945 thanks

Posted 11 February 2019 - 04:21 PM

Which IOL version exactly? Did you add CTS credentials on the SW?
"Do not mistake my Generosity for generosity."
______________________________________________________

-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the  announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.

Thanked by 2 Members:
mkaalhamd , Samshettty9111

#3 cc1ecisco

cc1ecisco

    Advanced Member

  • Members
  • PipPipPip
  • 89 posts
  • 988 thanks

Posted 12 February 2019 - 10:14 AM

View Postmkaalhamd, on 11 February 2019 - 03:01 PM, said:

Dear
can we discuss the following tasks CCIE Security v5 tasks 3.5/4.2/4.4,
actually i have issue with task 3.5 wich affect all other task
SW2 is not able to download CTS environmental data
i am sure that switch name and password are same on both side SW/ISE
i am using iron port ios image at my SW
do you have any suggestion.


thank you

Use the following command on SW2 and SW2 will receive the PAC immediately and environment data will be successful:

ip radius source interface vlan150

#4 MrR0b0t

MrR0b0t

    Cisco Technologies Expert.

  • Technical Expert
  • PipPipPip
  • 130 posts
  • 8945 thanks

Posted 12 February 2019 - 10:42 AM

View Postcc1ecisco, on 12 February 2019 - 10:14 AM, said:

Use the following command on SW2 and SW2 will receive the PAC immediately and environment data will be successful:

ip radius source interface vlan150

That command will do nothing if the CTS credentials are not added in SW key/credentials repository.  This is just to "To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets". And i believe this would be required in case a switch has route to ISE server through more than one interface (not directly connected subnet) so in order to match the NAS IP address defined on ISE for that particular device, one would use this command so that request is sent with source address matching to N/W device config on ISE.

Edited by MrR0b0t, 12 February 2019 - 05:06 PM.

"Do not mistake my Generosity for generosity."
______________________________________________________

-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the  announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.

#5 tonythetiger

tonythetiger

    Advanced Member

  • Members
  • PipPipPip
  • 82 posts
  • 735 thanks

Posted 12 February 2019 - 10:50 AM

View Postcc1ecisco, on 12 February 2019 - 10:14 AM, said:

Use the following command on SW2 and SW2 will receive the PAC immediately and environment data will be successful:

ip radius source interface vlan150

Will you recommend the following configuration for the SW2 ?

radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie


aaa group server radius ise-group
server name ISE

ip radius source interface vlan150

aaa authorization  network cts-list group ise-group

# cts credentials id SW2 password ccie

# cts authorization list cts-list

# cts sxp enable
# cts sxp default password  ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer   x.x.x.x source x.x.x.x password default mode local speaker

Thanks

Edited by tonythetiger, 12 February 2019 - 11:03 AM.


#6 MrR0b0t

MrR0b0t

    Cisco Technologies Expert.

  • Technical Expert
  • PipPipPip
  • 130 posts
  • 8945 thanks

Posted 12 February 2019 - 11:01 AM

View Posttonythetiger, on 12 February 2019 - 10:50 AM, said:

Will you recommend the following configuration for the SW2 ?

radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie


aaa group server radius ise-group
server name ISE

ip radius source interface vlan150

aaa authorization  network cts-list group ise-group

# cts credentials id SW2 password ccie

# cts authorization list ISE-CTS-LIST

# cts sxp enable
# cts sxp default password  ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer   x.x.x.x source x.x.x.x password default mode local speaker

Thanks

CTS authorization network list do not match between what is defined and what is being authorized under CTS
"Do not mistake my Generosity for generosity."
______________________________________________________

-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the  announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.

#7 cc1ecisco

cc1ecisco

    Advanced Member

  • Members
  • PipPipPip
  • 89 posts
  • 988 thanks

Posted 12 February 2019 - 02:00 PM

View PostMrR0b0t, on 12 February 2019 - 10:42 AM, said:

That command will do nothing if the CTS credentials are not added in SW key/credentials repository.  This is just to "To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets". And i believe this would be required in case a switch has route to ISE server through more than one interface so in order to match the NAS IP address defined on ISE for that particular device, one would use this command so that request is sent with source address matching to N/W device config on ISE.
off course other configuration have to be there - this single command will not make 3.5 work

#8 cc1ecisco

cc1ecisco

    Advanced Member

  • Members
  • PipPipPip
  • 89 posts
  • 988 thanks

Posted 12 February 2019 - 02:04 PM

View Posttonythetiger, on 12 February 2019 - 10:50 AM, said:

Will you recommend the following configuration for the SW2 ?

radius server ISE
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key ccie


aaa group server radius ise-group
server name ISE

ip radius source interface vlan150

aaa authorization  network cts-list group ise-group

# cts credentials id SW2 password ccie

# cts authorization list cts-list

# cts sxp enable
# cts sxp default password  ccie
# cts sxp default source-ip x.x.x.x
# cts sxp connection peer   x.x.x.x source x.x.x.x password default mode local speaker

Thanks

Use the below config and if you face any issue then PM me:

radius server  CCIE
add ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name CCIE
!

aaa authorization network default group ISE
aaa authorization network  ISE group ISE
!
cts credentials id SW2_P password ccieccie
!
cts authorization list ISE
cts sxp default source-ip 10.100.8.1
cts sxp default password ccie
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local speaker
cts sxp enable
!
ip radius source interface vlan150

Edited by cc1ecisco, 12 February 2019 - 02:05 PM.


#9 MrR0b0t

MrR0b0t

    Cisco Technologies Expert.

  • Technical Expert
  • PipPipPip
  • 130 posts
  • 8945 thanks

Posted 12 February 2019 - 02:07 PM

View Postcc1ecisco, on 12 February 2019 - 02:00 PM, said:

off course other configuration have to be there - this single command will not make 3.5 work

Sure but my point was that this command is basically useless as far as this lab is concerned because as per network design. SW has only one route to reach ISE so even if you do not add this command, it will still use its VLAN 150 address as source for Radius requests.
"Do not mistake my Generosity for generosity."
______________________________________________________

-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the  announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.

#10 cc1ecisco

cc1ecisco

    Advanced Member

  • Members
  • PipPipPip
  • 89 posts
  • 988 thanks

Posted 12 February 2019 - 02:08 PM

View PostMrR0b0t, on 12 February 2019 - 02:07 PM, said:

Sure but my point was that this command is basically useless as far as this lab is concerned because as per network design. SW has only one route to reach ISE so even if you do not add this command, it will still use its VLAN 150 address as source for Radius requests.
Good luck !!!!!

Edited by cc1ecisco, 12 February 2019 - 02:10 PM.


#11 MrR0b0t

MrR0b0t

    Cisco Technologies Expert.

  • Technical Expert
  • PipPipPip
  • 130 posts
  • 8945 thanks

Posted 12 February 2019 - 02:21 PM

View Postcc1ecisco, on 12 February 2019 - 02:08 PM, said:

Good luck !!!!!

Nah nah it is okay..No need to edit. I have passed it already. And why go to lab just for this, see i tested it again just now:

https://imgur.com/a/vDjbAuy

Did not use that precious command and see that source IP? That is assigned to VLAN 150. And oh yeah i quickly just copy pasted your commands from above without that "precious command" and expected result.

So try to understand the logic behind command not just blindly use it..mate!
"Do not mistake my Generosity for generosity."
______________________________________________________

-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the  announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.

#12 tonythetiger

tonythetiger

    Advanced Member

  • Members
  • PipPipPip
  • 82 posts
  • 735 thanks

Posted 12 February 2019 - 02:21 PM

View Postcc1ecisco, on 12 February 2019 - 02:04 PM, said:

Use the below config and if you face any issue then PM me:

radius server  CCIE
add ipv4 150.1.7.212 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name CCIE
!
aaa authorization network default group ISE
aaa authorization network  ISE group ISE
!
cts credentials id SW2_P password ccieccie
!
cts authorization list ISE
cts sxp default source-ip 10.100.8.1
cts sxp default password ccie
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local speaker
cts sxp enable
!
ip radius source interface vlan150



Is the hostname of the Switch SW2 or SW2_P ?!
I am a bit confused why you need to set the password for cts credentials to "ccieccie" instead of "ccie" ?
Thanks for your help !!

#13 joshhh

joshhh

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts
  • 32 thanks

Posted 12 February 2019 - 05:31 PM

View Posttonythetiger, on 12 February 2019 - 02:21 PM, said:

Is the hostname of the Switch SW2 or SW2_P ?!
I am a bit confused why you need to set the password for cts credentials to "ccieccie" instead of "ccie" ?
Thanks for your help !!

###Line cts credentials id SW2_P password ccieccie
The hostname / pass shoud match the settings defined under ‘Advanced TrustSec Settings’ in your ISE.
This is one mandatory step to be able to download the environmental-data and the policy.

###Line cts sxp ...
These commands are here to relay the SGTs to the ASA which is configured as listener and enforcer (the password needs to be the same between the switch and the ASA).
The cts credentials id SW2_P password ccieccie is not needed if the switch is only acting as a SXP Speaker.

#14 cc1ecisco

cc1ecisco

    Advanced Member

  • Members
  • PipPipPip
  • 89 posts
  • 988 thanks

Posted 12 February 2019 - 09:26 PM

View Postjoshhh, on 12 February 2019 - 05:31 PM, said:

###Line cts credentials id SW2_P password ccieccie
The hostname / pass shoud match the settings defined under ‘Advanced TrustSec Settings’ in your ISE.
This is one mandatory step to be able to download the environmental-data and the policy.

###Line cts sxp ...
These commands are here to relay the SGTs to the ASA which is configured as listener and enforcer (the password needs to be the same between the switch and the ASA).
The cts credentials id SW2_P password ccieccie is not needed if the switch is only acting as a SXP Speaker.

Above highlighted is correct.

Edited by cc1ecisco, 12 February 2019 - 09:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top