{"id":477,"date":"2025-01-23T05:38:59","date_gmt":"2025-01-23T05:38:59","guid":{"rendered":"https:\/\/certcent.io\/?p=477"},"modified":"2025-02-06T23:50:44","modified_gmt":"2025-02-06T23:50:44","slug":"ise-trustsec-lab","status":"publish","type":"post","link":"https:\/\/certcent.io\/index.php\/2025\/01\/23\/ise-trustsec-lab\/","title":{"rendered":"ISE TrustSec Lab"},"content":{"rendered":"\n

Below is a sample from my Cisco switch configuration in eve-ng that works to connect a Cisco switch to an ISE server. My config doesn’t include the ASA router that assigns an IP dynamically based on the OU group e1\/0 and e1\/1 have Windows PCs that log with a student of staff, based on that configures if the IP address is .20 or .30.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Current configuration : 5186 bytes
!
! Last configuration change at 23:34:51 UTC Thu Feb 6 2025 by admin
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
username cisco password 0 admin
username admin password 0 cisco
aaa new-model
!
!
<\/p>\n\n\n\n

!
!
aaa group server radius ISE-GROUP
server name ISE
ip radius source-interface Vlan10
!
aaa authentication dot1x default group ISE-GROUP
aaa authorization network default group ISE-GROUP
aaa authorization network cts-list group ISE-GROUP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE-GROUP
!
!
!
!
!
aaa server radius dynamic-author
client 10.1.1.200 server-key eve1
!
aaa session-id common
<\/p>\n\n\n\n

!
!
!
ip domain-name eve
ip cef
no ipv6 cef
!
!
cts authorization list cts-list
cts role-based sgt-map 10.1.1.100 sgt 2
cts role-based sgt-map 10.1.1.200 sgt 2
cts role-based sgt-map 10.1.1.201 sgt 2
cts role-based sgt-map 10.1.1.253 sgt 2
cts role-based sgt-map 10.1.1.254 sgt 2
cts sxp enable
cts sxp default source-ip 10.1.1.252
cts sxp default password eve1
cts sxp connection peer 10.1.1.200 source 10.1.1.252 password default mode local speaker hold-time 0
dot1x system-auth-control
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0\/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0\/1
description mgmt node
switchport access vlan 10
<\/p>\n\n\n\n

switchport mode access
negotiation auto
!
interface GigabitEthernet0\/2
description ise node
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0\/3
description ise node
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet1\/0
description win10 node
switchport access vlan 100
switchport mode access
negotiation auto
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
interface GigabitEthernet1\/1
description win10 node
switchport access vlan 100
switchport mode access
negotiation auto
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
interface GigabitEthernet1\/2
negotiation auto
<\/p>\n\n\n\n

!
interface GigabitEthernet1\/3
negotiation auto
!
interface Vlan10
ip address 10.1.1.253 255.255.255.0
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
snmp-server community eve1 RO
snmp-server enable traps snmp linkdown linkup
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server timeout 2
!
radius server ISE
address ipv4 10.1.1.200 auth-port 1812 acct-port 1813
pac key eve1
!
!
control-plane
username admin password cisco
# not included in show running-config
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
transport input ssh
!
!
cts credentials id SW02 password eve1
# not included in show running-config<\/p>\n\n\n\n

<\/p>\n\n\n\n

end
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n","protected":false},"excerpt":{"rendered":"

Below is a sample from my Cisco switch configuration in eve-ng that works to connect a Cisco switch to an ISE server. My config doesn’t include the ASA router that assigns an IP dynamically based on the OU group e1\/0 and e1\/1 have Windows PCs that log with a student of staff, based on that… Continue reading ISE TrustSec Lab<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/posts\/477"}],"collection":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/comments?post=477"}],"version-history":[{"count":10,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/posts\/477\/revisions"}],"predecessor-version":[{"id":494,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/posts\/477\/revisions\/494"}],"wp:attachment":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/media?parent=477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/categories?post=477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/tags?post=477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}