Verified TrustSec

In my continued journey with Cisco TrustSec, I now have a verified switch configuration with all the components of basic TrustSec with ISE doing the policy and the switch doing the enforcement.

It was important to me to reach this point, as i now have to remember everything until this point in my practice. That and i dont have to fumble around a million different blog posts scattered all over the interwebs, in order to figure out what to do.

This is a working config for me on my Catalyst 3650 switch. I leave the ISE portion out of the equation for now, but obviously thats a component just as important.

aaa new-model
!
!
aaa group server radius ISE-GRP
 server name ISE01
 ip radius source-interface Vlan100
!
aaa authentication dot1x default group ISE-GRP
aaa authorization network default group ISE-GRP 
aaa authorization network CTS-LIST group ISE-GRP 
aaa accounting network default start-stop group ISE-GRP
!
aaa server radius dynamic-author
 client 10.0.100.40 server-key Cisco123
!
ip dhcp snooping vlan 1,10,30
ip dhcp snooping
!
device-tracking tracking
!
!
cts role-based sgt-map 10.0.100.30 sgt 9
cts role-based sgt-map 192.168.100.100 sgt 12
cts role-based enforcement
cts role-based enforcement vlan-list 1-4094
!
!
dot1x system-auth-control
!
! Client Port:
!
interface GigabitEthernet1/0/8
 switchport mode access
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE01
 address ipv4 10.0.100.40 auth-port 1812 acct-port 1813
 pac key Cisco123
!

And some verification commands on the switch after all of this is implemented:

C3650#sh cts pacs 
AID: 56F93AE4DB08EB3D6DACF61DF1506236
PAC-Info:
  PAC-type = Cisco Trustsec
  AID: 56F93AE4DB08EB3D6DACF61DF1506236
  I-ID: C3650
  A-ID-Info: Identity Services Engine
  Credential Lifetime: 08:28:41 UTC Thu Apr 02 2026
PAC-Opaque: 000200B0000300010004001056F93AE4DB08EB3D6DACF61DF150623600060094000301007ADBBA8BE1A5EA6BB1D71148816968DA00000013695242CC00093A80A7B5D16B1396546E8A1923025472E744B29F1C43042CD3D835B9C6ADE1F45A700066E12854B8CE7C6ACE5BE262D577F8BCC6443909D8E951D506F783602E3832F357A0390D47A402084D145249A82EDD205F2B6ED9B2F780AC3A2842FE36B765279A77809EBD4DA532ADD5D2809127A9D386B806
Refresh timer is set for 12w3d

C3650#show cts environment-data 
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
  SGT tag = 2-00:TrustSec_Devices
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
 *Server: 10.0.100.40, port 1812, A-ID 56F93AE4DB08EB3D6DACF61DF1506236
          Status = ALIVE
          auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
    0-00:Unknown
    2-00:TrustSec_Devices
    3-00:Network_Services
    4-00:Employees
    5-00:Contractors
    6-00:Guests
    7-00:Production_Users
    8-00:Developers
    9-03:Auditors
    10-00:Point_of_Sale_Systems
    11-00:Production_Servers
    12-01:Development_Servers
    13-00:Test_Servers
    14-00:PCI_Servers
    15-00:BYOD
    255-00:Quarantined_Systems
    2002-00:KP_USERS
    4004-01:KPLAB_ORDINARY_USERS
Environment Data Lifetime = 86400 secs 
Last update time = 10:06:38 UTC Sat Jan 3 2026
Env-data expires in   0:02:34:13 (dd:hr:mm:sec)
Env-data refreshes in 0:02:34:13 (dd:hr:mm:sec)
Cache data applied           = NONE
State Machine is running

C3650#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address              SGT     Source
============================================
10.0.100.20             2       INTERNAL
10.0.100.30             9       CLI
10.10.10.1              2       INTERNAL
10.10.10.11             2002    LOCAL
10.30.30.1              2       INTERNAL
192.168.100.100         12      CLI

IP-SGT Active Bindings Summary
============================================
Total number of CLI      bindings = 2
Total number of LOCAL    bindings = 1
Total number of INTERNAL bindings = 3
Total number of active   bindings = 6

C3650#show cts role-based permissions 
IPv4 Role-based permissions default:
        Permit IP-00
IPv4 Role-based permissions from group 2002:KP_USERS to group 9:Auditors:
        Deny IP-00
IPv4 Role-based permissions from group 2002:KP_USERS to group 12:Development_Servers:
        Deny IP-00
IPv4 Role-based permissions from group 2:TrustSec_Devices to group 2002:KP_USERS:
        Permit IP-00
IPv4 Role-based permissions from group 4004:KPLAB_ORDINARY_USERS to group 2002:KP_USERS:
        Deny IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE


C3650#show cts role-based counters 
Role-based IPv4 counters
From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor
*       *       0          0          0          1008       0          0         
2002    9       0          0          0          0          0          0         
2002    12      0          0          0          0          0          0         
2       2002    0          0          0          5          0          0         
4004    2002    0          0          0          0          0          0

Thats it for now. I hope you can use this as a reference for your own lab work.

Take Care!!

/Kim

CCIE  CCIE Security  TrustSec