Cisco TrustSec - Page 156

208 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

7-70

Cisco TrustSec Configuration Guide

OL-22192-01

Chapter 7 Cisco TrustSec Command Summary

sap (cts dot1x interface submode)

sap (cts dot1x interface submode)

Use the sap mode-list command to select the Security Association Protocol (SAP) authentication and

encryption modes to negotiate link encryption between two interfaces. Use the no form of the command

to remove a modelist and revert to the default.

[no] sap mode-list {gcm-encrypt | gmac | no-encap | null} [gcm-encrypt | gmac | no-encap |

null] . . .}

Syntax Description

Defaults The default encryption is sap modelist gcm-encrypt null. When the peer interface does not support

dot1x, 802.1AE MACsec, or 802.REV layer-2 link encryption, the default encryption is null.

Command Modes CTS dot1x interface submode(config-if-cts-dot1x)

Supported User Roles Administrator

Command History

Usage Guidelines Use the sap mode-list command to specify the authentication and encryption method to use during

Dot1x authentication.

The Security Association Protocol (SAP) is an encryption key derivation and exchange protocol based

on a draft version of the 802.11i IEEE protocol. SAP is used to establish and maintain the 802.1AE

link-to-link encryption (MACsec) between interfaces that support MACsec.

Before the SAP exchange begins after a Dot1x authentication, both sides (supplicant and authenticator)

have received the Pairwise Master Key (PMK) and the MAC address of the peer’s port from the Cisco

Secure Access Control Server (Cisco Secure ACS). If 802.1X authentication is not possible, SAP, and

the PMK can be manually configured between two interfaces in CTS manual configuration mode.

If a device is running CTS-aware software but the hardware is not CTS-capable, disallow encapsulation

with the sap modelist no-encap command.

mode-list Lists advertised SAP authentication and encryption modes (prioritized from

highest to lowest)

gcm-encrypt Specifies GMAC authentication, GCM encryption

gmac Specifies GMAC authentication only, no encryption

no-encap Specifies no encapsulation

null Specifies encapsulation present, no authentication, no encryption

Release Modification

12.2(50) SY This command was introduced on the Catalyst 6500 Series Switches.

IOS-XE 3.3.0 SG This command was introduced on the Catalyst 4500 Series Switches.

IOS 15.0(1) SE This command was introduced on the Catalyst 3000 Series Switches.

Table of Contents

Related product manuals

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-X6148-GE-TX - Switch

Cisco WS-X6148-GE-TX - Switch

Preview: Cisco 500 Series

Cisco 500 Series

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Preview: Cisco Catalyst 3560

Cisco Catalyst 3560

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco Nexus 3000 series

Cisco Nexus 3000 series

Preview: Cisco Nexus 7000 Series

Cisco Nexus 7000 Series

Preview: Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series

Preview: Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

Preview: Cisco Catalyst 4900 Series

Cisco Catalyst 4900 Series

Preview: Cisco Catalyst 8500 Series

Cisco Catalyst 8500 Series