Cisco Security TrustSec SXP SGT

dot1x and mab

EVE-NG Lab guide

_____________________________________________
Author Uldis Dzerkals
EVE-NG Pro, 2020
Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Content
Content 2
I. Lab nodes, image versions 3
II. ASAv Configuration 4
III. Install NTP and Active Directory Server 7
IV. Configure DNS Server 11
V. Configure AD Corporate users 12
VI. Create AD User Groups 13
VII. Join Win10-PC1 to the AD domain 13
VIII. ISE pre-stage 15
IX. ISE SXP Service 16
X. Active Directory joining to the ISE 16
XI. SW1 and SW2 AAA configuration 19
XII. ASAv10 AAA configuration 20
XIII. Lab devices joining to the ISE 20
XIV. Create authorization Profiles and DACLs 24
XV. Create Source Identity sequence 27
XVI. Create ISE Security groups 28
XVII. Create Policy Set 29
XVIII. Lab Switch Ports configuration DOT1x and MAB 37
XIX. Corporate-PC Dot1x Authentication 38
XX. Contractor Devices Authentication 44
XXI. ISE TrustSec Configuration 48
XXII. ASAv CTS Configuration 52
XXIII. LAN Switches CTS Configuration 53
XXIV. TrustSec SXP SGT verification 56
XXV. ASAv SGT based Access rules 58
XXVI. Final verification 59

2 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Lab concept: Practical Cisco Security TrustSec SXP SGT ISE 3.0 configuration accordingly given
objectives.
Lab General Tasks:

1. Configure universal Corporate PC Windows 10 workstation with dot1x AD user

authorization. If Employees User (Jenny) login into this PC, it must be assigned in VLAN 20
(DACL) and obtain IP from ASAv10 DHCP pool Employees. If Engineer (John) login in the
same PC, he must be assigned in VLAN 30 (DACL) and obtain IP from ASAv10 DHCP pool
Engineers.
2. Configure Contractors devices with mab host authorization. Contractor devices must assign
in VLAN 40 (DACL) and obtain IP from DHCP pool Contractors.

TrustSec SXP SGT Policies based Tasks

3. Corporate User Employees (Jenny) Must have access to Corporate WEB Server
http://webserver.eve.lab and Internet only.
4. Corporate User Engineers (John) must have access to all resources in the lab. Engineer
network must have access to Contractors network.
5. Contractor User must have access to FTP Server ftp://data.eve.lab and DNS services and
Internet
6. Contractor User must not have access to DMZ network or to Corporate VLANs 20 and 30.

I. Lab nodes, image versions

• Cisco ISE 3.0,
• Switch: i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20190423.bin
• ISP Router: IOL i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin
• DNS/CA/NTP, Windows 2019 x64 Server
• Windows 10 x86, Domain PC

3 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

• Management Host: Docker server-gui (Pro Lab)

II. ASAv Configuration

1. Objective: Configure ASAv hostname, exec password and username:
ciscoasa> en
The enable password is not set. Please set it now.
Enter Password: eve1
Repeat Password: eve1
Note: Save your configuration so that the password persists across
reboots
("write memory" or "copy running-config startup-config").
ciscoasa#
ciscoasa(config)# username admin password admin privilege 15
ciscoasa(config)# hostname ASAv10
ASAv10(config)#

2. Objective: Configure ASAv interfaces with following:

interface GigabitEthernet0/0
no shut
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
no shut
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.20
vlan 20
nameif employees
security-level 100
ip address 10.1.2.254 255.255.255.0
!
interface GigabitEthernet0/1.30
vlan 30
nameif engineers
security-level 100
ip address 10.1.3.254 255.255.255.0
!
interface GigabitEthernet0/1.40
vlan 40
nameif contractors
security-level 100
ip address 10.1.4.254 255.255.255.0
!
interface GigabitEthernet0/2

4 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

no shut
nameif dmz
security-level 80
ip address 10.1.1.254 255.255.255.0

3. Objective: Configure ASAv ASDM (optional If you prefer ASA configuration via ASDM):

Note: If you expected to activate ASAv Smart license this step is mandatory to register Cisco smart
license token. Lab itself can be used with Evaluation license which has all features enabled but limited
in throughput speed 100kbps.

Use Mgmt host node, open Firefox browser:

https://10.1.1.254/admin/public/asdm.jnlp
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.1.1.0 255.255.255.0 dmz

4. Objective: Configure ASAv inter and intra traffic permittance:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

5. Objective: Configure ASAv ICMP and HTTP inspection:

policy-map global_policy
class inspection_default
inspect http
inspect icmp

6. Objective: Configure ASAv DNS (optional for Smart Licensing):

Note: If you expected to activate ASAv Smart license this step is mandatory to register Cisco smart
license token. Lab itself can be used with Evaluation license which has all features enabled but limited
in throughput speed 100kbps.
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8 outside
name-server 8.8.4.4 outside
How to register your ASAv using token:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-
config/intro-license-smart.html

7. Objective: Configure ASAv Objects and Object groups:

object network dmz_network
subnet 10.1.1.0 255.255.255.0

5 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

object network employees_network

subnet 10.1.2.0 255.255.255.0

object network engineers_network

subnet 10.1.3.0 255.255.255.0

object network contractors_network

subnet 10.1.4.0 255.255.255.0

object network FTP_DATA

host 10.1.4.100

object network DNS_server

host 10.1.1.201

object network ISE

host 10.1.1.200

object network WEB_server

host 10.1.1.100

object-group network Employee_Access

network-object object DNS_server
network-object object WEB_server

object-group protocol TCPUDP

protocol-object udp
protocol-object tcp

8. Objective: Configure ASAv basic access-lists:

access-list dmz_access_in extended permit ip object dmz_network any
access-group dmz_access_in in interface dmz

access-list employees_access_in extended permit ip object

employees_network any
access-group employees_access_in in interface employees

9. Objective: Configure ASAv NAT:

nat (dmz,outside) source dynamic dmz_network interface
nat (employees,outside) source dynamic employees_network interface
nat (engineers,outside) source dynamic engineers_network interface
nat (contractors,outside) source dynamic contractors_network
interface

10. Objective: Configure ASAv DHCP pools for DMZ, Engineers, employees and Contractors:

6 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

dhcpd address 10.1.2.10-10.1.2.20 employees

dhcpd dns 10.1.1.201 interface employees
dhcpd enable employees
!
dhcpd address 10.1.3.10-10.1.3.20 engineers
dhcpd dns 10.1.1.201 interface engineers
dhcpd enable engineers
!
dhcpd address 10.1.4.10-10.1.4.20 contractors
dhcpd dns 10.1.1.201 interface contractors
dhcpd enable contractors
!
dhcpd address 10.1.1.20-10.1.1.25 dmz
dhcpd dns 10.1.1.201 interface dmz
dhcpd domain eve.lab interface dmz
dhcpd enable dmz interface

11. Objective: Save ASAv10 configuration:

ASAv10(config)# copy running-config startup-config

Source filename [running-config]?

Cryptochecksum: 845d758d 12e1c255 faf43b0f 68ed092f

9611 bytes copied in 0.100 secs

ASAv10(config)#

III. Install NTP and Active Directory Server

Objective: Configure Windows 2019 network interfaces with following:

1. Set static IP address for Windows 2019 interface Ethernet:

✓ IP Address: 10.1.1.201
✓ Mask: 255.255.255.0
✓ Gateway: 10.1.1.254
✓ DNS Server: 8.8.8.8, 8.8.4.4

Objective: Configure Windows 2019 Time Zone and Time:

✓ Configure the appropriate Time zone and Time on the Windows Server.

Objective: Configure Windows 2019 as NTP server with following:

1. Create firewall NTP inbound rule

✓ Control Panel/Windows Defender Firewall/Advanced settings
✓ Inbound Rules/New rule

7 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Rule type: Port > Next

✓ Protocol and Ports: UDP 123 > Next
✓ Action: Allow the Connection > Next
✓ Profile: check all, domain, private, public > Next
✓ Name: NTP_inbound

2. Configure external NTP server, Internet must be reachable from your server
✓ Open windows CMD (administrator rights!!!)
✓ Enter: External real NTP server:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
/reliable:yes

3. Edit Registry files

✓ Select Start > Run, type regedit, and then select OK
✓ Navigate to the following path in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

✓ Right-click Announce Flags, and then select Modify

✓ Change the type Value as 5 and click on OK.

8 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Navigate to the following path in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

✓ Right-click Type, and then select Modify

✓ Change the type Value as NTP and click on OK.

✓ Enable NTP server. Open Location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpSer
ver
✓ Right-click Enabled, and then select Modify
✓ In Edit DWORD Value, type 1 in the Value data box, and then

9 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

4. Restart NTP service

Open windows CMD (administrator rights!!!)
✓ Open windows CMD (administrator rights!!!)
✓ Enter:
net stop w32time && net start w32time

5. Verify NTP
✓ Open windows CMD (administrator rights!!!)
✓ Enter:
w32tm /query /status /verbose this will display last sync status or any
error

w32tm /query /peers this will display NTP external peers

10 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Objective: Configure Windows 2019 server name with following:

✓ Open Server manager

✓ Click Local Server
✓ Click Computer Name
✓ Click Change
✓ Enter Name: ad
✓ Click OK
✓ Click Close and restart Server

Objective: Configure Windows 2019 server Active Directory:

1. Install Active Directory Server role

✓ Open Server manager
✓ Click Add roles and features
✓ Click 3 times Next
✓ Select Active Directory Domain Services, and click Add features
✓ Click 3 times Next, and Install
✓ After installation is completed, Click close
2. Navigate to Server manager, Notifications (Yellow triangle)
✓ Click on Promote this server to a domain controller
✓ Select “Add new forest”
✓ Put domain name “eve.lab”
✓ Click Next
✓ Type 2 times DSRM password (example: Test123)
✓ Click Next 5 times
✓ Click Install
✓ After server is rebooted and if required, change administrator password (example:
ADserver123)

IV. Configure DNS Server

Objective: Configure Windows 2019 as DNS server with following:

1. Navigate to Server manager, Tools/DNS

✓ Expand AD Server one the right
2. Create 4 new Reverse Lookup Zones
✓ Right click on Reverse lookup Zones/New Zone, Next
✓ Leave Primary Zone and click Next
✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click
Next
✓ IPv4 Reverse Lookup Zone, Next
✓ Network ID: 10.1.1, Next, Next
✓ Allow both non-secure and secure dynamic updates, Next
✓ Finish
✓ New Zone, Next
✓ Leave Primary Zone and click Next
✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click
Next

11 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ IPv4 Reverse Lookup Zone, Next

✓ Network ID: 10.1.2, Next, Next
✓ Allow both non-secure and secure dynamic updates, Next
✓ Finish
✓ New Zone, Next
✓ Leave Primary Zone and click Next
✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click
Next
✓ IPv4 Reverse Lookup Zone, Next
✓ Network ID: 10.1.3, Next, Next
✓ Allow both non-secure and secure dynamic updates, Next
✓ Finish
✓ New Zone, Next
✓ Leave Primary Zone and click Next
✓ Leave To all DNS servers running in domain controllers in this domain: eve.lab, click
Next
✓ IPv4 Reverse Lookup Zone, Next
✓ Network ID: 10.1.4, Next, Next
✓ Allow both non-secure and secure dynamic updates, Next
✓ Finish
3. Create new A record for ISE
✓ Navigate to forward lookup zone eve.lab
✓ Create New host (A or AAAA)
✓ Name: ise
✓ IP Address: 10.1.1.200
✓ Enable checkbox Create associated pointer (PTR) record
✓ Add Host
4. Create new A record for WEBserver
✓ Navigate to forward lookup zone eve.lab
✓ Create New host (A or AAAA)
✓ Name: webserver
✓ IP Address: 10.1.1.100
✓ Enable checkbox Create associated pointer (PTR) record
✓ Add Host
5. Create new A record for Dataserver FTP
✓ Navigate to forward lookup zone eve.lab
✓ Create New host (A or AAAA)
✓ Name: data
✓ IP Address: 10.1.4.100
✓ Enable checkbox Create associated pointer (PTR) record
✓ Add Host

V. Configure AD Corporate users

Objective: Configure Active Directory Corporate Users:

1. Navigate to Server manager, Tools/Active Directory Users and Computers

✓ Right click on Users directory/New/user

12 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ First Name: Jenny

✓ Last name: Doe
✓ Username: jennydoe
✓ Click Next
✓ Password (2 times): Silver2021
✓ Uncheck User must change password at next login
✓ Check: User cannot change password and Password never expires
✓ Click Next and Finish
2. Navigate to Server manager, Tools/Active Directory Users and Computers
✓ Right click on Users directory/New/user
✓ First Name: John
✓ Last name: Doe
✓ Username: johndoe
✓ Click Next
✓ Password (2 times): Gold2021
✓ Uncheck User must change password at next login
✓ Check: User cannot change password and Password never expires
✓ Click Next and Finish

VI. Create AD User Groups

Objective: Add User Groups to the Active directory:

Note: Your windows hosts must be configured to obtain IP via DHCP. The Lab switch and ISP router is
configured with proper VLANs and DHCP Pools.

1. Navigate to Server manager, Tools/Active Directory Users and Computers

✓ Right click on Users directory/New/Group
✓ Name: Employees
✓ Click OK
✓ Right click on Users directory/New/Group
✓ Name: Engineers
✓ Click OK

Objective: Add users into created AD groups

1. Right Click on user John Doe and select: Add to group

✓ Enter the object names to select: Engineers
✓ Click Check name
✓ Click OK
2. Right Click on user Jenny Doe and select: Add to group
✓ Enter the object names to select: Employees
✓ Click Check name
✓ Click OK

VII. Join Win10-PC1 to the AD domain

Objective: Join corporate users to the Active directory:

13 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Note: Your windows hosts must be configured to obtain IP via DHCP. The Lab ASAv10 has configured
DHCP Pools in previous Task.

1. Windows 10 host
✓ Navigate: Start/Settings/About
✓ Navigate: Advanced System Settings, Click
✓ Click Tab: Computer Name
✓ Click: Change
✓ Type Computer Name: Corporate-PC
✓ Select radio button: Domain
✓ Type domain: eve.lab
✓ Click OK
✓ Type your AD server administrator username and password (example:
administrator/Test123)
✓ Click OK
✓ Click Close and restart PC

IMPORTANT, create user accounts on the Win10 Corporate PC before we move forward next Lab
steps

2. Create John Doe engineer account

✓ Select Other user and login with AD credentials: johndoe/Gold2021

3. Create Jenny Doe Engineer account

✓ Select Other user and login with AD credentials: jennydoe/Gold2021
4. Create domain Administrator account
✓ Select Other user and login with AD credentials: login: eve\administrator password:
Test123

Verification: Windows 10 host as Corporate-PC must be joined and domain eve.lab and have full
network/internet access. This host will be used to test 2 different Corporate user access. Engineers
and Employees.

14 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

VIII. ISE pre-stage

Objective: Pre-stage ISE

1. Setup ISE settings

✓ Type: setup

✓ Hostname: ise
✓ IP address: 10.1.1.200
✓ Netmask: 255.255.255.0
✓ Default gateway: 10.1.1.254
✓ Default domain: eve.lab
✓ Primary name server: 10.1.1.201
✓ NTP Server: 10.1.1.201
✓ User: admin
✓ Password: Test123

✓ Wait till ise installs and brings up, Services must be in running state

15 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

IX. ISE SXP Service

Objective: Activate ISE SXP Serivuce

1. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser

✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a
password: Test123
✓ Navigate to ISE Management
✓ Click Tab Administration/System/Deployment
✓ Select “ise”/Edit
✓ Navigate to “Enable SXP Service”

✓ Select to enable
✓ Press Save

X. Active Directory joining to the ISE

Objective: Join Active Directory as External Identity Source to the ISE

2. Open Mgmnt host and navigate to Applications/Internet/Chromium Web Browser

✓ Log into the ISE by browsing to https://ise.eve.lab using a username: admin and a
password: Test123
✓ Navigate to ISE Management

✓ Click Tab Administration/Identity Management/External Identity Sources

16 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click Active Directory and “+ Add”

✓ Joint point name: ad.eve.lab

✓ Active Directory domain name: eve.lab

✓ Click Submit and Yes for Join

✓ Fill credentials AD User name: administrator, Password: Test123 (AD Server

administrator password)

17 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click OK, Status must be completed (green)

✓ Click Tab Groups/Select Groups From Directory

✓ Click Retrieve Groups

✓ Select Domain Computers, Engineers and Employees, Click OK

18 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ To complete configuration at the bottom of screen click Save

XI. SW1 and SW2 AAA configuration

Objective: Configure lab switch AAA and ISE Radius

✓ Open SW1 and SW2 switches console and configure following:

aaa new-model
dot1x system-auth-control

radius server ISE

address ipv4 10.1.1.200 auth-port 1812 acct-port 1813
key eve1

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server timeout 2

aaa group server radius ISE-GROUP

server name ISE
ip radius source-interface Vlan10

aaa authentication dot1x default group ISE-GROUP

aaa authorization network default group ISE-GROUP

19 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

aaa accounting update periodic 5

aaa accounting dot1x default start-stop group ISE-GROUP

aaa server radius dynamic-author

client 10.1.1.200 server-key eve1

snmp-server community eve1 RO

snmp-server enable traps snmp linkdown linkup

XII. ASAv10 AAA configuration

Objective: Configure lab ASAv10 AAA and ISE Radius

✓ Open ASAv10 console and configure following:

aaa-server ISE-GROUP protocol radius
aaa-server ISE-GROUP (dmz) host 10.1.1.200
key eve1
authentication-port 1812
accounting-port 1813
radius-common-pw eve1

XIII. Lab devices joining to the ISE

1. Objective: Create Device Type Group
✓ Navigate to ISE Management

✓ Click Tab Administration/Network Resources/Network Devices

✓ Click to tab “Network Device Groups”

✓ Click “+ Add”

20 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Name: LAN Switches

✓ Parent Group: All Device Types
✓ Click Save

2. Objective: Create Location Group

✓ Click “+ Add”

✓ Name: My LAN
✓ Parent Group: All Locations
✓ Click Save

21 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

3. Objective: Join SW1 switch to the ISE radius

✓ Click to tab “Network Devices”
✓ Click “+ Add”

✓ Name: SW1
✓ Description: LAB SW1
✓ IP Address: 10.1.1.252
✓ Model Name: IOL
✓ Version: 15.2
✓ Location: My LAN
✓ Device Type: LAN Switches
✓ Select Radius checkbox
✓ Shared Secret: eve1

22 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Enable SNMP Settings

✓ SNMP Version: 2c
✓ SNMP RO Community: eve1

✓ Click Submit

4. Objective: Join SW2 switch to the ISE radius

✓ Click to tab “Network Devices”
✓ Click “+ Add”

23 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Name: SW2
✓ Description: LAB SW2
✓ IP Address: 10.1.1.253
✓ Model Name: IOL
✓ Version: 15.2
✓ Location: My LAN
✓ Device Type: LAN Switches
✓ Select Radius checkbox
✓ Shared Secret: eve1

5. Objective: Join ASAv10 to the ISE radius

✓ Click to tab “Network Devices”
✓ Click “+ Add”
✓ Name: ASAv10
✓ Description: LAB ASAv10
✓ IP Address: 10.1.1.254
✓ Model Name: ASAv
✓ Version: 9.14.2
✓ Location: My LAN
✓ Device Type: LAN Switches
✓ Select Radius checkbox
✓ Shared Secret: eve1

XIV. Create authorization Profiles and DACLs

Objective: Create three (3) DACLs

✓ Navigate to ISE Management

✓ Click Tab Policy/Policy Elements/Results

✓ Navigate to Authorization/Downloadable ACLs
✓ Click “+ Add”

24 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Navigate to Authorization/Downloadable ACLs

✓ Click “+ Add”
✓ Name: EVE_DHCP_ACL
✓ IP Version: IPv4
✓ Add ACL line
permit udp any eq 68 any eq 67

✓ Check DACL Syntax, must be Valid

✓ Click Save.

✓ Click “+ Add”
✓ Name: PERMIT_AD_ONLY
✓ IP Version: IPv4
✓ Add ACL lines
permit udp any eq 68 any eq 67
permit udp any any eq 53
permit ip any host 10.1.1.201

25 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Check DACL Syntax, must be Valid

✓ Click Save.

✓ Click “+ Add”
✓ Name: WIRED_PERMIT_ALL
✓ IP Version: IPv4
✓ Add ACL line
permit ip any any

✓ Check DACL Syntax, must be Valid

✓ Click Save.

Objective: Create Four (4) Authorization Profiles

✓ Navigate to Authorization/Authorization Profiles

✓ Click “+ Add”

✓ Name: Contractor-PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: EVE_DHCP_ACL
✓ Select VLAN: ID/Name: 40

26 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click “+ Add”
✓ Name: Employees-PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: WIRED_PERMIT_ALL
✓ Select VLAN: ID/Name: 20

✓ Click “+ Add”
✓ Name: Engineers-PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: WIRED_PERMIT_ALL
✓ Select VLAN: ID/Name: 30

✓ Click “+ Add”
✓ Name: WIRED_AD_ONLY_PROFILE
✓ Enable checkbox DACL
✓ Select previously created DACL: PERMIT_AD_ONLY
✓ Select VLAN: ID/Name: 10

XV. Create Source Identity sequence

Objective: Create Source identity sequence

✓ Navigate to ISE Management

✓ Click Tab Administration/Identity Management/Groups

✓ Click Tab: Identity Source Sequences
✓ Click “+ Add”

✓ Name: EVE_Sequence
✓ Select Identity sources: ad.eve.lab and Internal Endpoints

27 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click: Save

XVI. Create ISE Security groups

Objective: Create ISE Security Groups

✓ Navigate to ISE Management/Work Centers/TrustSec/Components

✓ Create new security Groups
✓ Name: Domain_PC
✓ Name: Engineers

28 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

XVII. Create Policy Set

1. Objective: Create mab and dot1x Policy
✓ Navigate to ISE Management

✓ Click Tab Policy/Policy Sets

✓ Click “+ Add”

✓ Name: EVE-POLICY
✓ Click “+” for New conditions

✓ In Conditions Studio “Click to add an attribute”

✓ In Editor “Click Tab Location”

✓ Select Attribute DEVICE:Location

29 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Select equals from list: All Locations/My LAN

✓ Click New to add another attribute

✓ In Editor “Click Tab Network Device”

✓ Select Attribute DEVICE: Device Type

✓ Select equals from list: All Device Types/LAN Switches

✓ Click New to add another attribute

✓ In Editor “Click Tab Port”

30 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Under Dictionary select: Radius

✓ Select Radius/NAT-Port-Type

✓ Select Equal: Ethernet

✓ Click Use
✓ Select Default Network Access for allowed Protocols

2. Objective: Authentication Policy

✓ Click to View Policy “>”

✓ Expand Authentications Policy

✓ For Default rules select Use: EVE_Sequence

31 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

3. Objective: Create Corporate PC Authorization Policy

✓ Navigate to Authorization Policy
✓ Expand Authorization Policy
✓ Click “+” To add New rule

✓ Name: AD_PC_RULE
✓ Click “+” For new Condition

✓ Select Tab: Identity Group

✓ Select: ad.eve.lab/ExternalGroups

✓ Select Equal: eve.lab/Users/Domain Computers

✓ Click: Use

32 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Select Profiles: WIRED_AD_ONLY

✓ Select Security Group: Domain_PC

4. Objective: Create Corporate Engineer Authorization Policy

✓ Navigate to AD_PC_RULE/Actions/Insert new rule below

✓ Name: Engineers
✓ Click “+” to add New conditions

✓ Select Tab: Identity Group

✓ Attribute: ad.eve.lab/ExternalGroups
✓ Equals: eve.lab/Users/Engineers
✓ Click Use

33 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click New for another condition in this rule

✓ Select Tab: Unclassified

✓ Select Dictionary: Network Access
✓ Select Attribute: WasMachineAuthenticated
✓ Equals: True
✓ Click Use

✓ Select Profiles: Engineers-PROFILE

✓ Select Security Group: Engineers

34 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

5. Objective: Create Corporate Emploee Authorization Policy

✓ Navigate to Engineers/Actions/Insert new rule below
✓ Name: Employees
✓ Click “+” to add New conditions
✓ Select Tab: Identity Group
✓ Attribute: ad.eve.lab/ExternalGroups
✓ Equals: eve.lab/Users/Employees
✓ Click Use

✓ Click New for another condition in this rule

✓ Select Tab: Unclassified

✓ Select Dictionary: Network Access
✓ Select Attribute: WasMachineAuthenticated
✓ Equals: True
✓ Click Use

35 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Select Profiles: Employees-PROFILE

✓ Select Security Group: Employees

6. Objective: Contractors MAB Authorization Policy

✓ Navigate to Employees/Actions/Insert new rule below
✓ Name: Contractors-MAB
✓ Click “+” to add New conditions
✓ Select Tab Identity Group
✓ Attribute: Name

✓ Equals: Endpoint Identity Groups: Contractors

✓ Click: New to add another condition
✓ Select Tab: Unclassified
✓ Select Condition: Normalized Radius/Radius FlowType

36 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Equals: WiredMAB
✓ Click Use
✓ Select Profiles: Contractor-PROFILE
✓ Select Security Groups: Contractor

Objective: Save Authorization Policy

✓ Click SAVE below

XVIII. Lab Switch Ports configuration DOT1x and MAB

1. Objective: Configure lab SW1 switch ports
✓ Open SW1 switch console and configure following
✓ Remove temporary configured VLAN 10, switchport will assign VLAN dynamically
accordingly configure ISE User Groups profiles
interface Ethernet0/1
description Corporate win10 PC
switchport mode access
no switchport access vlan 10
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

interface Ethernet0/1
description Contractor Win10 PC
switchport mode access

37 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

authentication open
authentication port-control auto
mab
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

2. Objective: Configure lab SW2 switch ports

✓ Open SW2 switch console and configure following:
interface Ethernet1/0
description Contractor FTP Server
switchport mode access
authentication open
authentication port-control auto
mab
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

XIX. Corporate-PC Dot1x Authentication

1. Objective: Configure Windows 10 PC for Dot1x authentication
✓ Open Windows 10
✓ Navigate To Windows Control Panel, Administrative Tools/Services
✓ Make sure if your Windows has enabled and running Wired Autoconfig Service
✓ If it is not running, then log off Windows and log in to it as Administrator
✓ Login: eve\administrator, Password: Test123
Note: It is domain administrator user which we set previously on Windows Server 2019

✓ Navigate to Start/Settings/Network & Internet

✓ Navigate to Advanced Network Settings/Change Adapter Settings
✓ Right click on ethernet adapter and choose Properties.

38 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Note: On Windows 10, it will ask you Administrator rights, login in PC as administrator
Username: eve\administrator, Password: Test123

✓ Select Tab Authentication

✓ Check Enable IEEE 802.1X authentication

✓ Click Choose a network authentication method Settings

✓ Unselect Verify the Server’s identity by validating the certificate
✓ Click on Select Authentication Method: Configure
✓ Check: When connecting, Automatically use my Windows Logon name and password
and domain if any
✓ Click OK 2 times

39 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click Additional Settings

✓ Check Specify authentication mode
✓ Choose User or Computer authentication
✓ Click OK 2 times
✓ Reboot Windows 10

40 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click OK 2 times
✓ Reboot Windows 10
2. Objective: Corporate-PC Windows 10 Verification

Note: after reboot Windows 10 machine, do not login into it, but check results on Switch:

✓ Issue command show access-lists

You must notice that DACL PERMIT_AD_ONLY is in use. Means your Windows 10 received IP address,
and can communicate with AD server
SW#sh access-lists
Extended IP access list xACSACLx-IP-PERMIT_AD_ONLY-5fdf2f06 (per-
user)
1 permit udp any eq bootpc any eq bootps
2 permit udp any any eq domain
3 permit ip any host 10.1.1.201
SW#

✓ Navigate to ISE management/Operations/Live Logs

✓ You must see that Corporate-PC is authenticated but has assigned only to
WIRED_AD_ONLY_PROFILE

3. Objective: Corporate-PC Engineer user (John)

✓ Login in Windows 10 Corporate-PC as, user: johndoe and password: Gold2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all and VLAN 30 is forced on the port for
SW1#show authentication sessions interface e0/1 details
Interface: Ethernet0/1
MAC Address: 5017.00ac.0000
IPv6 Address: Unknown
IPv4 Address: 10.1.3.11
User-Name: EVE\johndoe
Status: Authorized
Domain: DATA

41 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Oper host mode: single-host

Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 263s
Session Uptime: 338s
Common Session ID: 0A0101FC0000001508D1386B
Acct Session ID: 0x00000021
Handle: 0xEC000007
Current Policy: POLICY_Et0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
Vlan Group: Vlan: 30
ACS ACL: xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43
SGT Value: 16

Method status list:

Method State

dot1x Authc Success

SW1#
Extended IP access list xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43 (per-
user)
1 permit ip any any
SW#

✓ Navigate to ISE management/Operations/Live Logs again

✓ Now you will see that John Doe user is authorized and assigned to Engineers-PROFILE
and obtained IP from VLAN 30.

4. Objective: Corporate-PC Employee user (Jenny)

✓ Sign out from John Doe.
✓ Login in Windows 10 Corporate-PC as, user: jennydoe and password: Silver2021
✓ Navigate to switch and issue again show access-list, Now you will see that ACL is
changed to permit all and VLAN 20 is forced for the switchport

42 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

SW1#show authentication sessions interface e0/1 details

Interface: Ethernet0/1
MAC Address: 5017.00ac.0000
IPv6 Address: Unknown
IPv4 Address: 10.1.2.11
User-Name: EVE\jennydoe
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 193s
Session Uptime: 708s
Common Session ID: 0A0101FC0000001508D1386B
Acct Session ID: 0x00000023
Handle: 0xEC000007
Current Policy: POLICY_Et0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
Vlan Group: Vlan: 20
ACS ACL: xACSACLx-IP-WIRED_PERMIT_ALL-5fe06c43
SGT Value: 4

Method status list:

Method State

dot1x Authc Success

SW#

✓ Navigate to ISE management/Operations/Live Logs again

✓ Now you will see that Jenny Doe user is authorized and assigned to Employees-PROFILE
and obtained IP from VLAN 20.

43 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

XX. Contractor Devices Authentication

1. Objective: Configure Contractor Windows 10 PC MAB authentication
✓ Boot Win10-PC2 node (Contractors PC)
✓ Navigate to ISE management/Operations/Live Logs
You will notice that authentication is failed. Notice MAC address of your Contractors PC

✓ Navigate to ISE management/Context Visibility/Endpoints

✓ Select Win10-PC2 Contractors rejected device, and click edit

✓ Select Contractors rejected device, and click edit

✓ Description: Contractors PC
✓ Static assignment: Windows 10-Workstation
✓ Static group assignment: Contractors
✓ Click save

44 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Issue command show access-lists

✓ You must notice that EVE_DHCP_ACL is in use. Means your Contractor PC has received
IP address from Vlan 40 , and have network access
SW1#show authentication sessions interface e0/2 details
Interface: Ethernet0/2
MAC Address: 5017.00ab.0000
IPv6 Address: Unknown
IPv4 Address: 10.1.4.10
User-Name: 50-17-00-AB-00-00
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 221s
Session Uptime: 680s
Common Session ID: 0A0101FC0000001608E69670
Acct Session ID: 0x00000024
Handle: 0xC1000008
Current Policy: POLICY_Et0/2

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
Vlan Group: Vlan: 40
ACS ACL: xACSACLx-IP-EVE_DHCP_ACL-5fe79837
SGT Value: 5

45 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Method status list:

Method State

mab Authc Success

SW1#

✓ Navigate to ISE management/Operations/Live Logs again

✓ Now you will see that Contractor PC device is authenticated and assigned to
Contractors-PROFILE and VLAN 40

2. Objective: Configure Contractor Linux FTP Server MAB authentication

✓ Boot FTP Linux node (data.eve.lab docker node)
✓ Navigate to ISE management/Operations/Live Logs
You will notice that authentication is failed, Notice the MAC address of your FTP server
✓ Navigate to ISE management/Context Visibility/Endpoints

✓ Select Win10-PC2 Contractors rejected device, and click edit

✓ Select Contractors rejected device, and click edit

✓ Description: FTP Contractor Server
✓ Static assignment: Linux-Workstation
✓ Static group assignment: Contractors
✓ Click save

46 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Issue command show access-lists on SW2

✓ You must notice that EVE_DHCP_ACL is in use. Means your Contractor PC has received
IP address from Vlan 40 , and have network access
SW2#show authentication sessions interface e1/0 details
Interface: Ethernet1/0
MAC Address: 500a.0009.0000
IPv6 Address: Unknown
IPv4 Address: 10.1.4.100
User-Name: 50-0A-00-09-00-00
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 278s
Session Uptime: 21s
Common Session ID: 0A0101FD0000000E0273196C
Acct Session ID: 0x00000004
Handle: 0xE7000002
Current Policy: POLICY_Et1/0

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority
150)
Security Policy: Should Secure
Security Status: Link Unsecure

47 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Server Policies:
Vlan Group: Vlan: 40
ACS ACL: xACSACLx-IP-EVE_DHCP_ACL-5fe79837
SGT Value: 5

Method status list:

Method State

mab Authc Success

SW2#

✓ Navigate to ISE management/Operations/Live Logs again

✓ Now you will see that Contractor PC device is authenticated and assigned to
Contractors-PROFILE and VLAN 40

XXI. ISE TrustSec Configuration

1. Objective: Join Lab network devices to SXP domain
✓ Navigate to ISE Management/Work Centers/TrustSec/SXP

✓ Click “+” Add

✓ Name: SW1
✓ IP Address: 10.1.1.252
✓ Peer role: Speaker
✓ SXP Domain: Default
✓ Status Enabled
✓ Password Type: DEFAULT
✓ Version v4
✓ Save

48 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Click “+” Add

✓ Name: SW2
✓ IP Address: 10.1.1.253
✓ Peer role: Speaker
✓ SXP Domain: Default
✓ Status Enabled
✓ Password Type: DEFAULT
✓ Version v4
✓ Save

✓ Click “+” Add

✓ Name: ASAv10

49 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ IP Address: 10.1.1.254
✓ Peer role: Listener
✓ SXP Domain: Default
✓ Status Enabled
✓ Password Type: DEFAULT
✓ Version v4
✓ Save

2. Objective: Configure Network devices for TrustSec and CTS PAC

✓ Navigate to ISE Management
✓ Click Tab Administration/Network Resources/Network Devices

✓ Select ASAv10/edit
✓ Navigate to Advanced TrustSec Settings, Enable it
✓ Enable Use Device ID for TrustSec Identification
✓ Password: eve1

50 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Navigate down to TrustSec Notifications and Updates

✓ Enable Other TrustSec devices to trust this device
✓ Enable Using Send configuration changes to device and CoA

✓ Navigate down to Out Of Band (OOB) TrustSec PAC

✓ Encryption key: evetrust (this key will be required to import PAC to the ASAv10)
✓ Select 1 year time to liv
✓ Generate PAC, File ASAv10.pac will be downloaded to the Mgmnt station download
directory

✓ Navigate to ISE Management

✓ Click Tab Administration/Network Resources/Network Devices
✓ Select SW1/edit
✓ Navigate down to Advanced TrustSec Settings, Enable it
✓ Enable Use Device ID for TrustSec Identification
✓ Password: eve1
✓ Navigate down to TrustSec Notifications and Updates
✓ Enable Other TrustSec devices to trust this device
✓ Enable Using Send configuration changes to device and CoA
✓ Navigate down to Out Of Band (OOB) TrustSec PAC
✓ Encryption key: evetrust (this key will be required to import PAC to the ASAv10)
✓ Select 1 year time to live

51 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Generate PAC, File SW1.pac will be downloaded to the Mgmnt station download
directory

✓ Navigate to ISE Management

✓ Click Tab Administration/Network Resources/Network Devices
✓ Select SW2/edit
✓ Navigate down to Advanced TrustSec Settings, Enable it
✓ Enable Use Device ID for TrustSec Identification
✓ Password: eve1
✓ Navigate down to TrustSec Notifications and Updates
✓ Enable Other TrustSec devices to trust this device
✓ Enable Using Send configuration changes to device and CoA
✓ Navigate down to Out Of Band (OOB) TrustSec PAC
✓ Encryption key: evetrust (this key will be required to import PAC to the ASAv10)
✓ Select 1 year time to live
✓ Generate PAC, File SW1.pac will be downloaded to the Mgmnt station download
directory

XXII. ASAv CTS Configuration

Objective: Configure ASAv10 TrustSec CTS with following configuration

✓ Open ASAv10 cli and configure with following

cts server-group ISE-GROUP
cts sxp enable
cts sxp default password eve1
cts sxp default source-ip 10.1.1.254
cts sxp connection peer 10.1.1.200 password default mode local
listener

✓ Mgmt station and copy ASAv10.pac file to tftp folder

52 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

✓ Open ASAv10 cli and configure with following

ASAv10# cts import-pac tftp://10.1.1.100/ASAv10.pac password
evetrust
!PAC Imported Successfully
ASAv10#
ASAv10#
ASAv10# cts refresh environment-data
ASAv10# Database updated, 20 recs written

ASAv10#

✓ Verify if your ASAv has success SXP connectivity to the ISE

ASAv10# show cts sxp connections
SXP : Enabled
Highest version : 3
Default password : Set
Default local IP : 10.1.1.254
Delete hold down period : 120 secs
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Not Running
Total number of SXP connections: 1
Total number of SXP connections shown: 1
-----------------------------------------------------------
Peer IP : 10.1.1.200
Source IP : 10.1.1.254
Conn status : On
Conn version : 3
Local mode : Listener
Ins number : 3
TCP conn password : Default
Reconciliation timer : Not Running
Delete hold down timer : Not Running
Duration since last state change: 0:00:28:12 (dd:hr:mm:sec)ASAv10#

XXIII. LAN Switches CTS Configuration

Objective: Configure SW1 TrustSec CTS with following configuration

✓ Open SW1 and SW2 cli and configure with following

cts authorization list ISE
cts sxp enable
cts sxp default source-ip 10.1.1.252
cts sxp default password eve1
cts sxp connection peer 10.1.1.200 source 10.1.1.252 password
default mode local speaker

53 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

radius server ISE

address ipv4 10.1.1.200 auth-port 1812 acct-port 1813
pac key eve1

✓ Open SW1 cli and configure with following

SW1#cts credentials id SW1 password evetrust
CTS device ID and password have been inserted in the local keystore.
Please make sure that the same ID and password are configured in t
he server database.

SW1#sh cts pac

AID: E3EB17E4E7F395AD7AB10E341640BF8C
PAC-Info:
PAC-type = Cisco Trustsec
AID: E3EB17E4E7F395AD7AB10E341640BF8C
I-ID: SW1
A-ID-Info: Identity Services Engine
Credential Lifetime: 05:23:35 EET Apr 6 2021
PAC-Opaque:
000200B00003000100040010E3EB17E4E7F395AD7AB10E341640BF8C000600940003
010010C1CDF52A20B238C8A91CCD365EFFF2000000135FF106A00
0093A80D3AF12451910CDB0E27B1425469F0BC4C385EDF1613E0DC851AA58282888D
E1395173996B9AA0C9460B606C8AE352B50CB5EE49409063D718F8618E92C135E9D
C0A7E2FB18E712B8E0E16350F97064F7BA817C868C272DB1F803132AA8AB9966F3AD
980EDDE1E035E9C1FFAA04C80D6B535F319C
Refresh timer is set for 12w3d

SW1#show cts sxp connections

SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: 10.1.1.252
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 10.1.1.200
Source IP : 10.1.1.252
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Keepalive timer is running

54 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Duration since last state change: 0:00:38:19 (dd:hr:mm:sec)

Total num of SXP Connections = 1

SW1#
SW1#

✓ Open SW2 cli and configure with following

SW2#cts credentials id SW2 password evetrust
CTS device ID and password have been inserted in the local keystore.
Please make sure that the same ID and password are config
ured in the server database.

SW2#show cts pac

AID: E3EB17E4E7F395AD7AB10E341640BF8C
PAC-Info:
PAC-type = Cisco Trustsec
AID: E3EB17E4E7F395AD7AB10E341640BF8C
I-ID: SW2
A-ID-Info: Identity Services Engine
Credential Lifetime: 09:36:09 GMT Apr 7 2021
PAC-Opaque:
000200B00003000100040010E3EB17E4E7F395AD7AB10E341640BF8C000600940003
0100C4ACF9A6F35AAE51CAC4FBB581ACF03900000013
5FF106A000093A80D3AF12451910CDB0E27B1425469F0BC4FB48A999198367120E15
327D7BF1FC2CFD4804A065BFEB75B6A07587A0E33A2D176914D2B3037C
D04804C6ADC05DAB03247A42C57B934BFF61309B981EDCA1E9C7BC77282DAD519BFF
954A1A0BFE8E8C053E6A2EFACDF36562D916D94C8CE08BEEC4FFBB
Refresh timer is set for 12w4d

SW2#show cts sxp connections

SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: 10.1.1.253
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 10.1.1.200
Source IP : 10.1.1.253
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Speaker

55 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Keepalive timer is running
Duration since last state change: 0:00:37:26 (dd:hr:mm:sec)

Total num of SXP Connections = 1

SW2#

3. Objective: TrsutSec SXP domain connectivity verification

✓ Navigate to ISE Management/Work Centers/TrustSec/SXP
✓ Status for devices must ON

XXIV. TrustSec SXP SGT verification

1. Objective: Check SGT Policies and mapping on ASAv
✓ Issue command ASAv if Jenny (Employee) was authenticated
ASAv10# show cts sxp sgt-map ipv4 detail
Total number of IP-SGT mappings : 5
Total number of IP-SGT mappings shown: 5

SGT : 5:Contractors
IPv4 : 10.1.4.10
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 4:Employees
IPv4 : 10.1.2.11
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 5:Contractors
IPv4 : 10.1.4.100
Peer IP : 10.1.1.200
Ins Num : 3

56 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

Status : Active

SGT : 2:TrustSec_Devices
IPv4 : 10.1.1.252
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 2:TrustSec_Devices
IPv4 : 10.1.1.253
Peer IP : 10.1.1.200
Ins Num : 3

✓ Issue command ASAv if John (Engineers) was authenticated

ASAv10# show cts sxp sgt-map ipv4 detail
Total number of IP-SGT mappings : 7
Total number of IP-SGT mappings shown: 7

SGT : 5:Contractors
IPv4 : 10.1.4.10
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 17:Domain_PC
IPv4 : 10.1.2.11
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 16:Engineers
IPv4 : 10.1.3.12
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 16:Engineers
IPv4 : 10.1.1.23
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 5:Contractors
IPv4 : 10.1.4.100
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 2:TrustSec_Devices
IPv4 : 10.1.1.252
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active

SGT : 2:TrustSec_Devices
IPv4 : 10.1.1.253
Peer IP : 10.1.1.200
Ins Num : 3
Status : Active
ASAv10#

57 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

2. Objective: ISE SGT Mapping

✓ Navigate to ISE Management/Work Centers/TrustSec/SXP/All SXP Mappings

XXV. ASAv SGT based Access rules

TrustSec SXP SGT Policies based Tasks

1. Corporate User Employees (Jenny) Must have access to Corporate WEB Server
http://webserver.eve.lab and Internet only.
2. Corporate User Engineers (John) must have access to all resources in the lab. Engineer
network must have access to Contractors network.
3. Contractor User must have access to FTP Server ftp://data.eve.lab and DNS services and
Internet
4. Contractor User must not have access to DMZ network or to Corporate VLANs 20 and 30.

1. Objective: Check SGT Policies and mapping on ASAv

✓ Open ASAv10 cli and configure with following
access-list employees_access_in extended deny ip security-group name Employees
object employees_network security-group name Contractors object contractors_network
access-list employees_access_in extended permit ip security-group name Employees
any object-group Emploee_Access
access-list employees_access_in extended deny ip security-group name Employees any
object dmz_network
access-list engineers_access_in extended permit ip security-group name Engineers
any any
access-list contractors_access_in extended permit ip security-group name
Contractors any security-group name Contractors any
access-list contractors_access_in extended permit object-group TCPUDP security-
group name Contractors any object DNS_server eq domain
access-list contractors_access_in extended deny ip security-group name Contractors
any security-group name Employees any

58 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

 Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

access-list contractors_access_in extended deny ip security-group name Contractors

any object dmz_network
access-list contractors_access_in extended deny ip security-group name Contractors
any security-group name Engineers any
access-list contractors_access_in extended permit ip security-group name
Contractors any any

access-group engineers_access_in in interface engineers

access-group contractors_access_in in interface contractors

XXVI. Final verification

1. Objective: Test Contractor PC access to FTP Server ftp://data.eve.lab
✓ Open in Contractors PC FileZilla, or browser to test FTP access to data.eve.lab
✓ Username: root, password: eve
✓ Connection must be success

59 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

2. Objective: Test Contractor PC access to Internet

✓ Open in Contractors PC CMD and test ping www.google.com. Named ping ensure that
access to DNS server is properly configured

Must be success

3. Objective: Test Contractor PC access to Corporate resources

✓ Open in Contractors PC Browser and test access: http://webserver.eve.lab

Access must fail.

✓ Test ping to Engineers or Employee Networks

Access must fail.

60 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

4. Objective: Test Corporate PC Engineers SGT user John

✓ Log in Corporate-PC as user johndoe/Gold2021
✓ Open browser and test http://webserver.eve.lab

Must have access to it.

5. Objective: Test Corporate PC Engineers SGT user John to Contractors FTP

✓ Open Filezilla and test ftp access to contractors server data.eve.lab

Must have access to it.

61 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

6. Objective: Test Corporate PC Engineers SGT user John Internet

✓ Open CMD and ping www.google.com
✓ Ping Contractors PC IP

Must have access to it.

62 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

7. Objective: Test Corporate PC Employees SGT user Jenny Access to Corporate web server
✓ Log in Corporate-PC as user jennydoe/Silver2021
✓ Open browser and test http://webserver.eve.lab

Must have access to it.

8. Objective: Test Corporate PC Employees SGT user Jenny Internet and access to Contractors
✓ Log in Corporate-PC as user jennydoe/Silver2021
✓ Open CMD and ping www.google.com
✓ Ping ftp server data.eve.lab

Internet must be success

FTP access must fail

63 Created by Uldis Dzerkals, EVE-NG Ltd, 2021

Cisco Security Lab TrustSec SXP SGT dot1x & mab
EVE-PRO, 2021
__________________________________________________________________________________

64 Created by Uldis Dzerkals, EVE-NG Ltd, 2021