Cisco TrustSec - Page 150

208 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

7-64

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 7 Cisco TrustSec Command Summary

policy (cts manual interface configuration submode)

• If the policy dynamic command is configured and the authorization policy downloaded from the

authentication server indicates that the packet source is untrusted, the SGT is replaced with the SGT

specified by the downloaded policy.

The authorization policy can specify the peer's SGT, peer's SGT assignment trust state, RBACLs for

the associated peer SGT and an interface ACL.

• If the policy dynamic command is configured and the downloaded policy indicates that the packet

source is trusted, no change is made to the SGT.

For statically configured SGTs no RBACL is applied, but traditional interface ACL can be configured

separately for traffic filtering if required.

Examples The following example applies an SGT 3 to incoming traffic from the peer, except for traffic already

tagged (the interface that has no communication with a Cisco Secure ACS server):

Router# configure terminal

Router(config)# interface gi2/1

Router(config-if)# cts manual

Router(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm null no-encap

Router(config-if-cts-manual)# policy static sgt 3 trusted

Router(config-if-cts-manual)# exit

Router(config-if)# shutdown

Router(config-if)# no shutdown

Router(config-if)# exit

Router(config)# exit

Router# show cts interface GigabitEthernet 2/1

Global Dot1x feature is Enabled

Interface GigabitEthernet2/1:

CTS is enabled, mode: MANUAL

IFC state: OPEN

Authentication Status: NOT APPLICABLE

Peer identity: "unknown"

Peer's advertised capabilities: "sap"

Authorization Status: SUCCEEDED

Peer SGT: 3

Peer SGT assignment: Trusted

SAP Status: SUCCEEDED

Version: 1

Configured pairwise ciphers:

gcm-encrypt

null

Replay protection: enabled

Replay protection mode: STRICT

Selected cipher: gcm-encrypt

Propagate SGT: Enabled

Cache Info:

Cache applied to link : NONE

Statistics:

authc success: 0

authc reject: 0

authc failure: 0

authc no response: 0

authc logoff: 0

sap success: 1

sap fail: 0

Table of Contents

Related product manuals

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-X6148-GE-TX - Switch

Cisco WS-X6148-GE-TX - Switch

Preview: Cisco 500 Series

Cisco 500 Series

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Preview: Cisco Catalyst 3560

Cisco Catalyst 3560

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco Nexus 3000 series

Cisco Nexus 3000 series

Preview: Cisco Nexus 7000 Series

Cisco Nexus 7000 Series

Preview: Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series

Preview: Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

Preview: Cisco Catalyst 4900 Series

Cisco Catalyst 4900 Series

Preview: Cisco Catalyst 8500 Series

Cisco Catalyst 8500 Series