1-3
Cisco TrustSec Configuration Guide
OL-22192-01
Chapter 1 Cisco TrustSec Overview
Information about Cisco TrustSec Architecture
Cisco TrustSec uses ingress tagging and egress filtering to enforce access control policy in a scalable
manner. Packets entering the domain are tagged with a security group tag (SGT) containing the assigned
security group number of the source device. This packet classification is maintained along the data path
within the Cisco TrustSec domain for the purpose of applying security and other policy criteria. The final
Cisco TrustSec device on the data path, either the endpoint or network egress point, enforces an access
control policy based on the security group of the Cisco TrustSec source device and the security group of
the final Cisco TrustSec device. Unlike traditional access control lists based on network addresses, Cisco
TrustSec access control policies are a form of role-based access control lists (RBACLs) called security
group access control lists (SGACLs).
Note Ingress refers to packets entering the first Cisco TrustSec-capable device encountered by a packet on its
path to the destination and egress refers to packets leaving the last Cisco TrustSec-capable device on the
path.
Authentication
This section includes the following topics:
• Cisco TrustSec and Authentication, page 1-3
• Device Identities, page 1-6
• Device Credentials, page 1-6
• User Credentials, page 1-6
Cisco TrustSec and Authentication
Using Network Device Admission Control (NDAC), Cisco TrustSec authenticates a device before
allowing it to join the network. NDAC uses 802.1X authentication with Extensible Authentication
Protocol Flexible Authentication via Secure Tunnel (EAP-FAST) as the Extensible Authentication
Protocol (EAP) method to perform the authentication. EAP-FAST conversations provide for other EAP
method exchanges inside the EAP-FAST tunnel using chains. Administrators can use traditional
user-authentication methods, such as Microsoft Challenge Handshake Authentication Protocol Version
2 (MSCHAPv2), while still having security provided by the EAP-FAST tunnel. During the EAP-FAST
exchange, the authentication server creates and delivers to the supplicant a unique protected access
credential (PAC) that contains a shared key and an encrypted token to be used for future secure
communications with the authentication server. Figure 1-2 shows the EAP-FAST tunnel and inner
methods as used in Cisco TrustSec.
To Next Page
Loading...
Need help?
General