EasyManuals Logo
Home>Cisco>Switch>TrustSec

Cisco TrustSec User Manual

Cisco TrustSec
208 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #18 background imageLoading...
Page #18 background image
1-6
Cisco TrustSec Configuration Guide
OL-22192-01
Chapter 1 Cisco TrustSec Overview
Information about Cisco TrustSec Architecture
At the end of the Cisco TrustSec authentication process, both the authenticator and the supplicant know
the following:
Device ID of the peer
Cisco TrustSec capability information of the peer
Key used for the SAP
Device Identities
Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you assign a
name (device ID) to each Cisco TrustSec-capable switch to identify it uniquely in the Cisco TrustSec
domain. This device ID is used for the following:
Looking up the authorization policy
Looking up passwords in the databases during authentication
Device Credentials
Cisco TrustSec supports password-based credentials. Cisco TrustSec authenticates the supplicants
through passwords and uses MSCHAPv2 to provide mutual authentication.
The authentication server uses these credentials to mutually authenticate the supplicant during the
EAP-FAST phase 0 (provisioning) exchange where a PAC is provisioned in the supplicant. Cisco
TrustSec does not perform the EAP-FAST phase 0 exchange again until the PAC expires, and only
performs EAP-FAST phase 1 and phase 2 exchanges for future link bringups. The EAP-FAST phase 1
exchange uses the PAC to mutually authenticate the authentication server and the supplicant. Cisco
TrustSec uses the device credentials only during the PAC provisioning (or reprovisioning) steps.
When the supplicant first joins the Cisco TrustSec domain, the authentication server authenticates the
supplicant and pushes a shared key and encrypted token to the supplicant with the PAC. The
authentication server and the supplicant use this key and token for mutual authentication in all future
EAP-FAST phase 0 exchanges.
User Credentials
Cisco TrustSec does not require a specific type of user credential for endpoint devices. You can choose
any type of user authentication method that is supported by the authentication server, and use the
corresponding credentials. For example, the Cisco Secure Access Control System (ACS) version 5.1
supports MSCHAPv2, generic token card (GTC), or RSA one-time password (OTP).

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General IconGeneral
BrandCisco
ModelTrustSec
CategorySwitch
LanguageEnglish

Related product manuals