ISE 2.1 - Switch and Wireless Controller TrustSec Configuration

In this blog post, I'll go through the configuration for TrustSec and SXP for both my Catalyst 3650 switch and wireless controller. I'll walk through the configuration, create the SXP connection, and verify. After that, I'll test out a policy by connecting a client to the switch, watching the tag be applied on ingress and the policy applied.

In my lab, I'm running 3.6.4 XE code on my switch per the ISE compatibility matrix. If you haven't seen the compatibility matrix, go here to view the platforms supported by ISE, recommended code and feature compatibility for those platforms. For TrustSec, I also recommend viewing the latest TrustSec compatibility guide to view the supported platforms and roles supported. As of writing, this was the latest compatibility matrix for TrustSec.

To start, I'm going to make sure that TrustSec settings are configured under the NAD in ISE by navigating to Administration>Network Resources>Network Devices>Node-Name and entering in the Device-ID, shared password, other device trust the device and send configuration changes to the device by using CoA:


Now I'm going to start configuring the switch. I'll start with some global commands:

radius server ise
address ipv4 auth-port 1812 acct-port 1813
pac key

aaa server radius dynamic-author
client server-key networknode
server-key networknode
auth-type any

aaa group server radius ise-group
server name ise

cts credentials id Sw1 password networknode - TrustSec Device ID and password for authentication with EAP-FAST
aaa new-model
aaa authentication dot1x default group ise-group -
802.1X port-based authentication method using the RADIUS group I previously created
aaa authorization network cts-list group ise-group - Configures switch to use RADIUS authorization for all network-related service requests
cts authorization list cts-list - Specifies TrustSec AAA server group
aaa accounting dot1x default start-stop group ise-group - 802.1x accounting using RADIUS
aaa session-id common

radius-server vsa send authentication - Allows the switch to recognize and use vendor-specific attributes in RADIUS Access-Requests generated by the switch
dot1x system-auth-control - Globally enables port-based authentication 

cts role-based enforcement
cts role-based enforcement vlan-list

Next we will configure SXP:

cts sxp enable
cts sxp default password
cts sxp connection peer source password default mode both

In ISE, navigate to Work Centers>TrustSec>SXP>SXP Devices and add the switch:


Now you can verify the configuration from the switch:

Verify that SGTs were downloaded with show cts environment-data


Verify that the PAC was provisioned with show cts pac


See the existing bindings on the switch with the show cts role-based sgt-map all


Verify the policy with show cts role-based permissions:


Show the SXP connections with the show cts sxp connections


To view the SGT assigned to a port, issue the show authentication session interface g1/0/47 detail to view the details of the authentication session on the port level:

In the ISE RADIUS Live Log, you can the CTS Request when the endpoint was authenticated and authorization is granted via SGT:


For the Wireless Controller, the configuration is minimal. What needs to be configured is the SXP connection. In the WLC, navigate to Security>TrustSec SXP. Enable SXP and add the ISE SXP node as the peer:

In ISE, navigate to Work Centers>TrustSec>SXP>SXP Devices and add the WLC as the SXP Peer:


After clicking save, verify that the SXP connection is working: