Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

CHAPTER

6-1

Cisco TrustSec Configuration Guide

OL-22192-01

Configuring Endpoint Admission Control

Revised: May 28, 2010, OL-22192-01

This chapter contains the following sections:

• Information About Endpoint Admission Control

• Basic EAC Configuration Sequence

• 802.1X Authentication Configuration

• MAC Authentication Bypass Configuration

• Web Authentication Proxy Configuration

• Flexible Authentication Sequence and Failover Configuration

• 802.1X Host Modes

• Pre-Authentication Open Access

• DHCP Snooping and SGT Assignment

• Cisco TrustSec Endpoint Access Control Feature Histories

Information About Endpoint Admission Control

In TrustSec networks, packets are filtered at the egress, not the ingress to the network. In TrustSec

endpoint authentication, a host accessing the TrustSec domain (endpoint IP address) is associated with

a Security Group Tag (SGT) at the access device through DHCP snooping and IP device tracking. The

access device transmits that association (binding) through SXP to TrustSec hardware-capable egress

devices, which maintain a continually updated table of Source IP to SGT bindings. Packets are filtered

on egress by the TrustSec hardware-capable devices by applying security group ACLS (SGACLs).

Endpoint Admission Control (EAC) access methods for authentication and authorization can include the

following:

• 802.1X port-based Authentication

• MAC Authentication Bypass (MAB)

• Web Authentication (WebAuth)

All port-based authentication can be enabled with the authentication command. Each access method

must be configured individually per port. The flexible authentication sequence and failover features

permit the administrator to specify the failover and fallback sequence when multiple authentication

modes are configured and the active method fails. The 802.1X host mode determines how many endpoint

hosts can be attached per 802.1X port.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.