Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

3-3

Cisco TrustSec Configuration Guide

OL-22192-02

Chapter 3 Configuring Identities, Connections, and SGTs

Configuring Credentials and AAA for a Cisco TrustSec Non-Seed Device

Note You must also configure the Cisco TrustSec credentials for the switch on the Cisco Identity Services

Engine (Cisco ISE) or the Cisco Secure Access Control Server (Cisco ACS).

Configuration Examples for Seed Device

Catalyst 6500 configured as a Cisco TrustSec seed device:

Router# cts credentials id Switch1 password Cisco123

Router# configure terminal

Router(config)# aaa new-model

Router(config)# aaa authentication dot1x default group radius

Router(config)# aaa authorization network MLIST group radius

Router(config)# cts authorization list MLIST

Router(config)# aaa accounting dot1x default start-stop group radius

Router(config)# radius-server host 10.20.3.1 auth-port 1812 acct-port 1813 pac key AbCe1234

Router(config)# radius-server vsa send authentication

Router(config)# dot1x system-auth-control

Router(config)# exit

Configuring Credentials and AAA for a Cisco TrustSec Non-Seed

Device

To enable NDAC and AAA on a non-seed switch so that it can join the Cisco TrustSec domain, perform

these steps:

Detailed Steps for Catalyst 6500

Command Purpose

Step 1

Router# cts credentials id device-id

password password

Specifies the Cisco TrustSec device ID and password

for this switch to use when authenticating with other

Cisco TrustSec devices with EAP-FAST. The

device-id argument has a maximum length of 32

characters and is case sensitive.

Step 2

Router# configure terminal

Enters global configuration mode.

Step 3

Router(config)# aaa new-model

Enables AAA.

Step 4

Router(config)# aaa authentication dot1x

default group radius

Specifies the 802.1X port-based authentication

method as RADIUS.

Step 5

Router(config)# aaa authorization

network mlist group radius

Configures the switch to use RADIUS authorization

for all network-related service requests.

• mlist—Specifies a Cisco TrustSec AAA server

group.

Step 6

Router(config)# aaa accounting dot1x

default start-stop group radius

Enables 802.1X accounting using RADIUS.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.