1-12
Cisco TrustSec Configuration Guide
OL-22192-01
Chapter 1 Cisco TrustSec Overview
Information about Cisco TrustSec Architecture
RADIUS Relay Functionality
The switch that plays the role of the Cisco TrustSec authenticator in the 802.1X authentication process
has IP connectivity to the authentication server, allowing the switch to acquire the policy and
authorization from the authentication server by exchanging RADIUS messages over UDP/IP. The
supplicant device may not have IP connectivity with the authentication server. In such cases,
Cisco TrustSec allows the authenticator to act as a RADIUS relay for the supplicant.
The supplicant sends a special EAPOL message to the authenticator that contains the RADIUS server IP
address and UDP port and the complete RADIUS request. The authenticator extracts the RADIUS
request from the received EAPOL message and sends it over UDP/IP to the authentication server. When
the RADIUS response returns from the authentication server, the authenticator forwards the message
back to the supplicant, encapsulated in an EAPOL frame.
Link Security
When both sides of a link support 802.1AE Media Access Control Security (MACsec), a security
association protocol (SAP) negotiation is performed. An EAPOL-Key exchange occurs between the
supplicant and the authenticator to negotiate a cipher suite, exchange security parameters, and manage
keys. Successful completion of all three tasks results in the establishment of a security association (SA).
Depending on your software version, crypto licensing, and link hardware support, SAP negotiation can
use one of the following modes of operation:
• Galois/Counter Mode (GCM)—Specifies authentication and encryption
• GCM authentication (GMAC)—Specifies authentication and no encryption
• No Encapsulation—Specifies no encapsulation (clear text)
• Null—Specifies encapsulation, no authentication and no encryption
All modes except No Encapsulation require Cisco TrustSec-capable hardware.
For Cisco Catalyst 6500 series switches, Cisco IOS Release 12.2(50)SY and later releases, Cisco
TrustSec uses AES-128 GCM and GMAC, compliant with the IEEE 802.1AE standard.
To Next Page
Loading...
Need help?
General