Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Glossary

GL-2

Cisco TrustSec Configuration Guide

OL-22192-01

MACSec

Media Access Control Security based on IEEE 802.1AE to provide hop-to-hop link encryption. A

TrustSec hardware-capable device can establish a MACSec link with a TrustSec hardware-capable

peer.

NDAC

Network Device Admission Control. A mutual authentication mechanism between CTS devices to

authenticate and authorize its peer using an 802.1X process. EAP-FAST is used as the EAP type.

Non-seed Device

Non-seed devices do not have direct IP connectivity to the Cisco Secure ACS and require other devices

to authenticate and authorize them onto the TrustSec network, such as a seed device or a device already

enrolled in the TrustSec network.

RBAC

Role-based Access Control. An access control mechanism based on the role of the endpoints. RBAC is

different from group based access control in a sense that RBAC can take multiple role factors to derive

final policy for a particular entity.

RBACL

Role-based Access Control List. Often used to characterize SGACL because TrustSec uses the RBAC

features of the Cisco Secure ACS.

SAP

Security Association Protocol, negotiates keys and cipher suite for link encryption after successful

authentication and authorization for NDAC. SAP is derived from the 802.11i standard. SAP negotiation

can be automatically initiated after NDAC process or the PMK can be statically configured on an

interface.

Seed Device

The seed device is the first TrustSec hardware-capable device to authenticate against the Cisco Secure

ACS for TrustSec policy authorization. The seed device becomes the authenticator for the next TrustSec

supplicant device, which in turn becomes an authenticator to its supplicant devices.

SGACL

Security Group Access Control List. A Layer 3 to Layer 4 access control list that filters according to

the value of SGTs. Usually, filtering occurs at an egress port of the CTS domain.

SGT

Security Group Tag. A Layer-2 tag inserted in an Ethernet frame to classify traffic based on role. The

tag process occurs at the ingress of the CTS domain. SGTs are defined in the Cisco Secure ACS

configuration.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.