TrustSec and SXP

Hello world

I am trying to fully understand the trustsec technology and things get confusing... so I ask a little help :)

Feel free to correct me if I'm wrong (it's the point indeed).

I have the following architecture to implement:

  • ISE / AD (classification)
  • ASA (application)
  • SGT-compatible switches
  • WLC (non - SGT capable)

From what I understood, ISE is the first authentication (classification) and returns the tag SGT switches. Allow that the switches to mark the entry correctly (spread) before coming to the execution (which will be made by ASA firewall).

But what I don't understand is how the WLC is ISE tags? He is not capable, SGT, so it does not work with the SXP peering as a speaker. So he can send the right mapping tables (Sgt ip)? How can he card nothing if it cannot receive tags authentication ISE (saying that the user is in SGT 'employee' for example)? It should only be static mapping to WLC (then yes ok but trustsec starts becoming useless...)?

I'm really confused, so I guess I misunderstood the principle of trustsec...

Thank you very much for reading and if you can help.

Best regards

Basile

When a wireless client connects to the network as part of the policy of auth is also give to Sgt the WLC as speaker SXP will transmit the SGT intellectual property mapping the SXP listener. the listener is entered the package on behalf of the WLC SGT.

I hope that makes sense. It's confusing :)

Tags: Cisco Security

Similar Questions

  • TrustSec caught SGT supported platforms and modules

    Hi all

    I have a question about how to determine if a Cisco router/switch supports inline tagging SGT.

    Although I found a link (below) that shows what platforms and modules are required to support the inline SGT I can't surely determine yet if my switches support inline Sgt

    http://www.Cisco.com/c/en/us/solutions/enterprise-networks/TrustSec/trustsec_matrix.html

    Here are the relevant sections of my 3750's 'see the worm' (I know that IOS be 15.X version and type 'ipbase')

    What is material support inline tagging?

    Cisco IOS software, software C3750 (C3750-IPSERVICESK9-M), Version 12.2 (55) SE3,.

    System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE3.bin".

    processor of Cisco WS-C3750G-24TS-1U (PowerPC405) (revision 01) with K 131072 bytes
    memory.
    Card processor ID FOC0941U2TU
    Last reset of tension
    3 virtual Ethernet interfaces
    28 gigabit Ethernet interfaces
    Password recovery mechanism is activated.

    512K bytes of memory simulated by flash not volatile configuration.
    Basic Ethernet MAC address: 00:15:C6:F5:32:80
    Motherboard set number: 10219-73-03
    Power supply part number: 341-0098-01
    Motherboard serial number: FOC09400WB9
    Power supply serial number: AZS093800Q6
    Revision of the model number: 01
    Motherboard revision number: 04
    Model number: WS-C3750G-24TS-S1U
    System serial number: FOC0941U2TU
    Top Assembly part number: 800-26859-01
    Top of page revision number of the Assembly: 06
    Version ID: V03
    Revision number of hardware consulting: 0x02

    ===========================================

    Here are the relevant sections of my 6500's 'see the worm' (I know that IOS be 15.X version and type 'ipbase')

    What is material support inline tagging?

    Cisco IOS Software, s72033_rp (s72033_rp-ADVIPSERVICESK9_WAN-M), Versio
    n 12.2 (33) SXI12, VERSION of the SOFTWARE (fc2)

    ROM: System Bootstrap, Version 12.2 S9 (14r), RELEASE SOFTWARE (fc1)

    System image file is "disk0:s72033 - advipservicesk9_wan - mz.122 - 33.SXI12.bin".

    processor of Cisco WS - C6506 (R7000) (version 3.0) with 458720K / 65536K bytes of mem
    ORY.
    Card processor ID SAL08363E5J
    SR71000 pace at 600 Mhz, implemented 0 x 504, Rev 1.2, 512 KB of L2 Cache
    Last reset of tension
    7 virtual Ethernet interfaces
    50 gigabit Ethernet interfaces
    1917K bytes of non-volatile configuration memory.
    8192K bytes of packet buffer.

    65536 K bytes of Flash internal SIMM (sector size of 512K).
    Configuration register is 0 x 2102

    TIA

    Restrictions and configuration notes

    The guidelines and the following limitations apply to configuring Cisco TrustSec SGT and SGACL on Catalyst 3750-X and Catalyst 3560-X switches:

    • You cannot statically map one IP subnet to a Sergeant you can that card to a Sgt IP addresses when you configure IP address-to-SGT mappings, the IP address prefix must be 32.
    • If a port is configured as Multi-Auth mode, all hosts on this port connection must be assigned the same Sgt When a host tries to authenticate, his assigned Sergeant must be the same as Sergeant assigned to a previously authenticated host. If a host attempts to authenticate and his Sergeant is different from the previously authenticated host SGT, the port VLAN (VP) to which belong these hosts is error-disabled people.
    • Cisco TrustSec execution is supported only on up to eight VLANS on a VLAN Trunk link. If there are more than eight VLANs configured on a VLAN Trunk link and Cisco TrustSec execution is enabled on VLANs, the switch ports on these links of VLAN Trunk will be error-disabled people.
    • The switch can assign the SGT and apply SGACL matches from end-hosts of the SXP listen only if the end-hosts are adjacent Layer2 switch.
    • Port mapping - to the-SGT can be configured only on Cisco TrustSec (i.e., switch-switch links). Port mapping - to the-SGT cannot be configured on the host-switch links.

    When the port mapping - to the-SGT is configured on a port, a SGT is attributed to any circulation penetration on this port. There is no output on port traffic SGACL app.

  • ISE 1.4 and Apple 'captive Network Assistant"causing problems

    I'm testing ISE 1.4 with 10.10.2/Safari 8.0.3 MAC and the boring revised downward Safari AKA "Captive Network Assistant" gets in the way.  I wonder what other people did to work around.

    According to the compatibility of network component Cisco ISE v1.4 Safari I must be compatible, in captivity Network Assistant says that this isn't, but I suspect its because the computer MAC laptop try to validate with ~ 200 areas (so I hear for this).  My ISE/WLC have a DACL that allows certain IP addresses before finishing the AuthC/Z, and obviously I can't put in the DACL for all 200 of these areas.  My ISE is configured with trustsec model where I have two SSID, a first on the front-end to detect if Anyconnect 4.x is installed and if it is not then redirect to a portal.  Fails it MAC peripheral security check cause... or should I say will not display it. cause Apple Network Assistant captive.

    I know I can disable the captive Network Wizard by renaming the file, but it will probably not an acceptable solution in my environment for political reasons.  I wonder what others have done to bypass this annoying problem.  Maybe something with a DNS record or something...

    Thank you

    e-

    Common recommendation is to deceive the apple devices to think he has access to the internet by running this command on the command-line of your WLC:

    config network web-auth captive-bypass enable

  • ISE - certificate of CA-signed and subordinate

    Hello

    I have questions about the use of CA-signed certificate distributed deployment that I followed all steps in "trustsec how to guide" between nodes of ISE and CA-root but I don't understand how subordinates came on the scene, there are all the certificates that I should get or put between subordinates and nodes of the ISE? "

    I need to understand what is the purpose of the use of certificates here. If you are using certificates for purposes of deployment and what you need to know what all the certificates you need.

    The main crux of Admin must approve secondary node certificates before they can be added to main Admin node. If you are using signed certificates then just the root CA must be uploaded to the main Admin node. If self-signed certificates are used then each secondary school certificate needs to be downloaded on the Certification of root of trust authorities store on the main Admin node. The certificate of primary identity must also be added to the store of certificates of secondary education.

    If you'are using certificates for wireless deployment only and you want results to validate the server certificate that I would install the authority of root CA and subordinate on the ISE and also evaluation criteria.

    Your subordinate certification authority would be MySUBCA here in the chain.

    MyROOTCA-->--> MySUBCA-->--> MyIdentityCert hassignedasigned .

    Jatin kone

    -Does the rate of useful messages-

  • I have an ipod touch 128 GB... but I'm almost to reach its maximum.  I want to do is buy a new ipod touch 128 GB and add new music without synchronizing the entire library to it... I have 2 ipods in conjunction with other copies

    I have an ipod touch 128 GB... but I'm almost to reach its maximum.

    I want to do is buy a new ipod touch 128 GB and add new music without synchronizing the entire library to it... I have 2 ipods in conjunction with the other copies of the other.

    is this possible?

    What should I do?

    Matt

    When you get the new iPod, you can use iTunes on your computer to select and synchronize the music you want on it, in the same way that you synchronize your current iPod - your iTunes will recognize them as different devices and will remember your choice of synchronization for each, it will not (unless, for example, you restore the backup of your current on her iPod) put the same content on both.

    (I asked for your post be moved to the iPod Touch forum, where you have posted is the iPad forum use.)

  • Why my notes sync between my Mac and iPhone?

    I have my MacBook Pro with Mac OS X 10.9.5 Mavericks and my iPhone is running iOS 10.0.1 and used to synchronize my notes! Is it because of the huge gap in operating systems? I SHOULD update my Mac to Mac OS 10.10 + for this problem? Thank you!

    In order to synchronize Notes between your Mac and iPhone, you must configure iCloud > http://www.apple.com/icloud/setup/

    But this requires macOS Sierra 10.12, the latest available version and the last iOS available for your iPhone.

  • Photos, iCloud and OneDrive sync

    Hi all

    I have a question on how to better organize my photo library.

    For the moment, on my space OneDrive (mapped to a partition on my MacBook SSD), I have a folder called 'Images' containing just about all of my photos and organized by folders.

    Since my tech ecosystem is roughly marked Apple (iPhone, iPad and MacBook), I would use the power and versatility of the Photos and iCloud, so that everything remains in all of my devices and free space memory iPhone sync.

    Here's the question: I want to keep my pictures saved on OneDrive, then put the Photos on my Mac to view photos from this folder and use iCloud to share through my devices.

    -I see the same folder structure on iPhone and iPad a synchronization is complete?

    -More important, if I take a picture with my iPad, it will be placed not only on iCloud but also automatically added pictures on Mac which, in turn, puts it in the folder of photos on my OneDrive?

    -Finally, take pictures of my iDevices will store them in the film. If I move them into folders, photos will be mapped (copied to iCloud) on my other devices constantly (in the folder)?

    I would like to notice I'm not trying to avoid using iCloud premium space - I already have a subscription plan of 50 GB that I don't mind mounted. I just keep having just all my photos on OneDrive.

    Thank you in advance for any comments you may have!

    Paul

    The answer is simply not

    The photo library can not be stored on a basic system to pictures not work will have a referenced library, so you may not have a local library references photos on a disc - the photo library can be on a local drive connected directly to the Mac OS Extended format

    You can synchronize between the Mac and IOS devices using iCloud library that synchronizes the photos and the structure of the album/folder between devices

    When you import pictures you can export them to your OneDrive record and have a copy (not associate Photos somehow) on a disk

    You can not have the same physical pictures in Photos and on one disc - each must have its own copy of the Photo

    http://www.Apple.com/icloud/photos/

    LN

  • Video and photos of backup

    Hello

    Anyone know the best way to back up photos and videos I took Iphone 6 my mom.

    I just got a new Iphone 6 more and have an icloud account, she has one more.  I don't know how to proceed.

    Thank you

    This article can help you:

    The backup of your iPhone, iPad and iPod touch - Apple Support

    You get free 5 GB of storage iCloud. If you want to save more than 5 GB, you buy more storage iCloud.

  • I have a lg 4 k tv (40 "40UH630V TV LG ULTRA HD 4 K) with HDMI 2. 0 and if I buy apple tv 4 can be used with HDMI 2. 0 port or do I HDMI 3 port to use this? Please help me

    I have a lg 4 k tv (40 "40UH630V TV LG ULTRA HD 4 K) with HDMI 2. 0 and if I buy apple tv 4 can be used with HDMI 2. 0 port or do I HDMI 3 port to use this? Please help me

    You can use it with your TV.

  • I need to change my security issues and said we do not have enough information to reset your

    I need to change my security but said Questions we have insufficient information to reset security of your apple ID questions.my is [email protected] I want to slove this problem please help me

    You should contact the account of Apple security team. To join, click here and choose a method; If this page does not list one for your country or if you are unable to call, complete and submit this form.

    (145174)

  • Updated for Sierra and cannot import images

    I upgraded to Sierra and my camera, a Canon EOS 20 d is is properly recognized.

    Prior to the upgrade:

    When I plugged the camera would open automatically. I close and open Photoshop. PS I would like to select Import-> device and my camera would be identified. When I select the camer displayed thumbnails of photo.

    After the upgrade:

    When I connect the camera pictures only opens automaticall. If I open the pictures is not a camera attached.

    PS when I select Import-> my camera device is represented, but the icon is an external drive. When I select the icon nothing is displayed.

    Hello ChuckSto,

    Thank you for using communities Support from Apple. I know have a problem with your Mac and your camera is not what you expect. The good news is that the next steps will be useful for your problem of your camera is not recognized:

    If nothing happens when you connect your digital camera

    Try the following:

    • Make sure that the USB cable is properly connected to your camera and computer. If your computer has a USB port, try connecting the cable inside.

    • Check your camera to make sure he turned on and set to mode suitable for importing the photos. See the instructions that came with your camera.

    • Check the memory card of your camera for damage. See the documentation that came with your camera for more information on this page or other potential problems.

    Photos for Mac: import pictures from a camera or a mobile device

    See you soon!

  • Speeches and a .key file cannot be opened

    I'm unable to open or work on Keynote documents. I get an error popup image that says: cannot open 'FILE.key' because it is not a valid document to Keynote. I'm assuming that the same problem will occur in numbers and pages so I have not used either of these programs in a very long time so I do not have a file to test on.

    I know that the file is indeed a valid Keynote document. I recently had to reinstall my package iWork 09 since the original software discs - I have them have not purchased through the App store or my iCloud account. I have a software key. I can't move my OS to Sierra right now because I have other software that I use for work and tech support as we said we cannot go immediately. My current OS is El Capitan 10.11.6, and I have a MacBook Pro 15 "retina.

    Any advice on obtaining Keynote works again until I can make the upgrade to Sierra?

    Thanks in advance.

    Sounds like you are trying use Keynote 09 to open a file created by Keynote 6.

    Keynote 09 cannot open files of version 6 because they are a different file format.

    If this is the case, buy and install Keynote 6 from the Mac App Store.

  • Universal SE Clipboard and iPhone

    Universal Clipboard will work between a MBP of the retina and an iPhone SE?

    Hello curly1,.

    Thank you for using communities of Apple Support. It is my understanding that you want to use the universal Clipboard between your MacBook Pro and the iPhone OS. This is a great feature. I'm happy to help you.

    Universal Clipboard

    Universal Clipboard works with these devices and operating systems:

    iOS 10 macOS Sierra
    • iPhone 5 or newer

    • iPad Pro

    • iPad (4th generation)

    • iPad Air or newer

    • Mini iPad 2 or newer

    • iPod touch (6th generation) or newer
    • MacBook (early 2015 or newer)

    • MacBook Pro (2012 or newer)

    • MacBook Air (2012 or newer)

    • Mac mini (2012 or newer)

    • iMac (2012 or newer)

    • Mac Pro (end 2013)

    Requirements for continuity on Mac, iPhone, iPad, iPod touch and Apple Watch

    Have an amazing day!

  • USB disabled after the update of the Sierra (a short circuit and a work)

    Hi, when I bought my mbp 13 inches mid2012 (used, not new) I noticed that a USB port did not work. In the Yosemite sometimes I noticed that a USB port consumed too much energy and have been disabled. (I think because the usb port has been short-circuited. Year when it was time to update the mbp to El Capitan I had a few panic the kernel and the newspaper was shown as the last driver loaded the USB driver, so I kept the mbp with Yosemite. A few days ago, I updated for Sierra but only usb which used to work stopped working. It has enabled and turned on but Finder and disk utility does not see the drive. In an Apple dealer they said that could be established relationships with some oxide and next week will take it and see what the problem is.

    If there is someone with the same problems, please tell me what to do! I don't want to put in the trash my mac just for a flash drive... but I need!

    Hi Supermene,

    Thank you for using communities of Apple Support. Based on what you said, it appears as a USB device is not recognized in one of the USB ports. There are a few things that can cause this. I recommend you read these articles, which may be able to help solve the problem.

    macOS Sierra: If a USB device does not work

    Reset the management system (SCM) controller on your Mac.

    See you soon.

  • Freezes and restarts on 2015 5K running El Capitan iMac and am ready to freak me out

    Hi guys,.

    If I posted my check and reports being panic, could someone tell me what caused random freezes and restarts on my iMac 5 K - ish, El Capitan running? I am a designer/Retoucher and I am in the middle of a big job, of course.

    He went on and off for a few months. I have cleared my startup disk and played fresh OS installs (didn't even use Migration Assistant just to be safe), three times. I installed apps one at a time try to refine what is the cause but could not.

    At first I thought it was my mouse Logitech G502 because when I went to an old mouse for a few weeks the problem has disappeared. But yesterday, listening to iTunes via Airplay and working in InDesign, the system froze again.

    I wonder if she might be SoftRAID(4) and/or my two RAIDs of 4 external ThunderBay?

    Thanks in advance!

    Steve

    We can take a stab, please publish a report full of EtreCheck, and if we do not see everything that you can post your last report KP.

Maybe you are looking for