1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. TrustSec
  6. Configuration manual

Cisco TrustSec Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Enlarged version
Cisco TrustSec Switch Configuration
Guide
For Cisco Catalyst Switches
Updated: October 2013
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-22192-02

Advertisement

Table of Contents
loading

Related Manuals for Cisco TrustSec

Summary of Contents for Cisco TrustSec

  • Page 1 Cisco TrustSec Switch Configuration Guide For Cisco Catalyst Switches Updated: October 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-22192-02...
  • Page 2 CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo,...

  • Page 3: Table Of Contents

    Environment Data Download 1-11 RADIUS Relay Functionality 1-12 Link Security 1-12 Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network 1-13 SXP for SGT Propagation Across Legacy Access Networks 1-13 Layer 3 SGT Transport for Spanning Non-TrustSec Regions 1-14...
  • Page 4 Configuring Credentials and AAA for a Cisco TrustSec Non-Seed Device Configuration Examples for Non-Seed Device Enabling Cisco TrustSec Authentication and MACsec in 802.1X Mode on an Uplink Port Configuration Examples for 802.1X on Uplink Port Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port...
  • Page 5 Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP Verifying the SXP Connections Configuring Layer 3 SGT Transport Between Cisco TrustSec Domains Configuring Cisco TrustSec Reflector for Cisco TrustSec-Incapable Switching Modules Configuring Cisco TrustSec Caching...
  • Page 6 Catalyst 3850 and Catalyst 3650 Switches, and WLC 5700 Wireless LAN Controllers Catalyst 3750-X and Catalyst 3560-X switches Notes for Catalyst 4500 Series Switches Supported Hardware and Software TrustSec SGT and SGACL Configuration Guidelines and Limitations Cisco TrustSec Configuration Guide OL-22192-01...
  • Page 7 Configuration Excerpt of the Global Flow Monitor (IPv4 and IPv6) Configuration Excerpt of the Interface Monitor Flexible NetFlow Show Commands TrustSec System Error Messages FIPS Support TrustSec Considerations when Configuring FIPS Licensing Requirements for FIPS Prerequisites for FIPS Configuration Guidelines and Limitations for FIPS Default Settings for FIPS...
  • Page 8 Contents Cisco TrustSec Configuration Guide viii OL-22192-01...

  • Page 9: Cisco Trustsec Command Summary

    Chapter 6, “Configuring Endpoint Provides 802.1X, MAB, and WebAuth Admission Control” configuration procedures for a TrustSec context. Chapter 7, “Cisco TrustSec Provides a list of Cisco TrustSec CLI commands Command Summary” with brief descriptions. Appendix A, “Notes for Catalyst Describes constraints, limitations, or...
  • Page 10 Means the described action saves time. You can save time by performing the action described in Timesaver the paragraph. Warning Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Cisco TrustSec Switch Configuration Guide OL-22192-02...

  • Page 11: Obtaining Documentation And Submitting A Service Request

    What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
  • Page 12 Preface Cisco TrustSec Switch Configuration Guide OL-22192-02...

  • Page 13: Cisco Trustsec Overview

    (SGs) as they enter the network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path.
  • Page 14 Cisco TrustSec domain. In this example, several networking devices and an endpoint device are inside the Cisco TrustSec domain. One endpoint device and one networking device are outside the domain because they are not Cisco TrustSec-capable devices or because they have been refused access.

  • Page 15: Authentication

    Cisco TrustSec device on the data path, either the endpoint or network egress point, enforces an access control policy based on the security group of the Cisco TrustSec source device and the security group of the final Cisco TrustSec device. Unlike traditional access control lists based on network addresses, Cisco TrustSec access control policies are a form of role-based access control lists (RBACLs) called security group access control lists (SGACLs).
  • Page 16 Chapter 1 Cisco TrustSec Overview Information about Cisco TrustSec Architecture Figure 1-2 Cisco TrustSec Authentication Switch 1 (supplicant) Switch 2 (authenticator) EAP-FAST Tunnel establishment EAP-FAST in 802.1X EAP-FAST in RADIUS One time provisioning Device authentication User authentication EAP-FAST tunnel tear down...
  • Page 17 UDP/IP. When an endpoint device, such as a PC, connects to a network, it is obvious that it should function as a supplicant. However, in the case of a Cisco TrustSec connection between two network devices, the 802.1X role of each network device might not be immediately apparent to the other network device.

  • Page 18: Device Identities

    • Device Identities Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you assign a name (device ID) to each Cisco TrustSec-capable switch to identify it uniquely in the Cisco TrustSec domain. This device ID is used for the following: •...

  • Page 19: Security Group-Based Access Control

    A security group is a grouping of users, endpoint devices, and resources that share access control policies. Security groups are defined by the administrator in the Cisco ISE or Cisco Secure ACS. As new users and devices are added to the Cisco TrustSec domain, the authentication server assigns these new entities to appropriate security groups.

  • Page 20: Ingress Tagging And Egress Enforcement

    The SGT is propagated with the traffic across the domain. At the egress point of the Cisco TrustSec domain, an egress device uses the source SGT and the security group number of the destination entity (the destination SG, or DGT) to determine which access policy to apply from the SGACL policy matrix.

  • Page 21: Determining The Source Security Group

    A network device at the ingress of Cisco TrustSec domain must determine the SGT of the packet entering the Cisco TrustSec domain so that it can tag the packet with that SGT when it forwards it into the Cisco TrustSec domain. The egress network device must determine the SGT of the packet in order to apply an SGACL.

  • Page 22: Determining The Destination Security Group

    TrustSec device should refresh its policy and authorization before it times out. The device can cache the authentication and policy data and reuse it after a reboot if the data has not expired. In Cisco IOS Release 12.2(33)SXI, only policy data and environment data is cached.

  • Page 23: Environment Data Download

    Cisco TrustSec domain, although you might also manually configure some of the data on a device. For example, you must configure the seed Cisco TrustSec device with the authentication server information, which can later be augmented by the server list that the device acquires from the authentication server.

  • Page 24: Radius Relay Functionality

    Information about Cisco TrustSec Architecture RADIUS Relay Functionality The switch that plays the role of the Cisco TrustSec authenticator in the 802.1X authentication process has IP connectivity to the authentication server, allowing the switch to acquire the policy and authorization from the authentication server by exchanging RADIUS messages over UDP/IP. The supplicant device may not have IP connectivity with the authentication server.

  • Page 25: Using Cisco Trustsec-Incapable Devices And Networks In A Cisco Trustsec Network

    IP-address-to-SGT mappings to a Cisco TrustSec peer device that has Cisco TrustSec-capable hardware. SXP typically operates between ingress access layer devices at the Cisco TrustSec domain edge and distribution layer devices within the Cisco TrustSec domain. The access layer device performs Cisco TrustSec authentication of external source devices to determine the appropriate SGTs for ingress packets.

  • Page 26: Layer 3 Sgt Transport For Spanning Non-Trustsec Regions

    If you do not specify any source IP address, the device will use the interface IP address of the connection to the peer. SXP allows multiple hops. That is, if the peer of a device lacking Cisco TrustSec hardware support also lacks Cisco TrustSec hardware support, the second peer can have an SXP connection to a third peer, continuing the propagation of the IP-to-SGT mapping information until a hardware-capable peer is reached.

  • Page 27: Cisco Trustsec Reflector For Cisco Trustsec-Incapable Switching Modules

    Switch 2 To support Cisco TrustSec Layer 3 SGT Transport, any device that will act as a Cisco TrustSec ingress or egress Layer 3 gateway must maintain a traffic policy database that lists eligible subnets in remote Cisco TrustSec domains as well as any excluded subnets within those regions. You can configure this database manually on each device if they cannot be downloaded automatically from the Cisco Secure ACS.

  • Page 28: Ingress Reflector

    Supported TrustSec Reflector Hardware For further discussion of the Cisco TrustSec Reflector feature and a list of supported hardware, see the document, “Cisco Catalyst 6500 Series with Supervisor Engine 2T: Enabling Cisco TrustSec with Investment Protection,” at the following URL: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-658388.html...

  • Page 29: Vrf-Aware Sxp

    Chapter 1 Cisco TrustSec Overview Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network VRF-Aware SXP The SXP implementation of Virtual Routing and Forwarding (VRF) binds an SXP connection with a specific VRF. It is assumed that the network topology is correctly configured for Layer 2 or Layer 3 VPNs, with all VRFs configured before enabling Cisco TrustSec.
  • Page 30 Chapter 1 Cisco TrustSec Overview Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network Cisco TrustSec Configuration Guide 1-18 OL-22192-01...

  • Page 31: Configuring The Cisco Trustsec Solution

    Documents.” A network-wide deployment includes the configuration, interoperability, and management of multiple devices, which may include the Cisco Identity Services Engine (Cisco ISE), The Cisco Secure Access Control System (Cisco ACS), Cisco IP Telephones, Cisco routers, Cisco network appliances, etc.

  • Page 32: Supported Hardware And Software

    TrustSec software on all network devices • Connectivity between all network devices • Network availability of the Cisco Secure ACS 5.1, or Cisco ISE operating with a TrustSec license • Directory, DHCP, DNS, certificate authority, and NTP servers functioning in the network •...

  • Page 33: Cisco Trustsec Guidelines And Limitations

    Additional Documentation Cisco TrustSec Guidelines and Limitations Cisco TrustSec has the following guidelines and limitations for Catalyst switches: AAA for Cisco TrustSec uses RADIUS and is supported only by the Cisco Secure Access Control • System (ACS), version 5.1 or later.

  • Page 34: Platform-Specific Documents

    Configuration Guides Nexus 7000 series switches, Release 4.1 and later 802.1X configuration procedures • Cisco Secure Access Control System and Cisco Identity Services Engine Cisco Secure Access Control System Open and resolved caveats Release Notes Cisco TrustSec Configuration Guide OL-22192-01...

  • Page 35: Cisco Ios Trustsec Documentation Set

    SGA, or Security Group Access in ISE documentation. Cisco IOS TrustSec Documentation Set Cisco IOS Document Title Cisco IOS Security Configuration Guide: Securing User Services, Release 12.2SX Securing User Services Configuration Guide Library, Cisco IOS Release 15SY Cisco TrustSec Configuration Guide OL-22192-01...
  • Page 36 Chapter 2 Configuring the Cisco TrustSec Solution Additional Documentation Cisco TrustSec Configuration Guide OL-22192-01...

  • Page 37: Configuring Identities, Connections, And Sgts

    • page 3-24 Cisco TrustSec Identity Configuration Feature Histories For a list of supported TrustSec features per platform and the minimum required IOS release, see the Cisco TrustSec Platform Support Matrix at the following URL: http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html Otherwise, see product release notes for detailed feature introduction information.

  • Page 38: Configuring Credentials And Aaa For A Cisco Trustsec Seed Device

    TrustSec domain, is called the seed device. Other Cisco TrustSec network devices are non-seed devices. To enable NDAC and AAA on the seed switch so that it can begin the Cisco TrustSec domain, perform these steps:...

  • Page 39: Configuration Examples For Seed Device

    Router(config)# dot1x system-auth-control Router(config)# exit Configuring Credentials and AAA for a Cisco TrustSec Non-Seed Device To enable NDAC and AAA on a non-seed switch so that it can join the Cisco TrustSec domain, perform these steps: Detailed Steps for Catalyst 6500 Command...

  • Page 40: Configuration Examples For Non-Seed Device

    Router(config)# dot1x system-auth-control Step 9 Exits configuration mode. Router(config)# exit You must also configure the Cisco TrustSec credentials for the switch on the Cisco Identity Services Note Engine, or the Cisco Secure ACS. Configuration Examples for Non-Seed Device Catalyst 6500 example:...

  • Page 41: Enabling Cisco Trustsec Authentication And Macsec In 802.1X Mode On An Uplink Port

    Enabling Cisco TrustSec Authentication and MACsec in 802.1X Mode on an Uplink Port You must enable Cisco TrustSec authentication on each interface that will connect to another Cisco TrustSec device. To configure Cisco TrustSec authentication with 802.1X on an uplink interface to...

  • Page 42: Configuration Examples For 802.1X On Uplink Port

    Exits interface configuration mode. Router(config-if)# exit Configuration Examples for 802.1X on Uplink Port Catalyst 6500 Cisco TrustSec authentication in 802.1X mode on an interface using GCM as the preferred SAP mode; the authentication server did not provide a reauthentication timer: Router# configure terminal...
  • Page 43 Chapter 3 Configuring Identities, Connections, and SGTs Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port Command Purpose Step 4 (Optional) Configures the SAP pairwise master key Router(config-if-cts-manual)# [no] sap pmk key [mode-list mode1 [mode2 [mode3 (PMK) and operation mode. SAP is disabled by [mode4]]]] default in Cisco TrustSec manual mode.

  • Page 44: Configuration Examples For Manual Mode And Macsec On An Uplink Port

    When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and restrictions: • If no SAP parameters are defined, no Cisco TrustSec encapsulation or encryption will be performed. • If the selected SAP mode allows SGT insertion and an incoming packet carries no SGT, the tagging policy is as follows: –...

  • Page 45: Regenerating Sap Key On An Interface

    Example: c6500switch# cts rekey int gig 1/1 Verifying the Cisco TrustSec Interface Configuration To view the TrustSec-relate interface configuration, perform this task: Detailed Steps for Catalyst 6500 Command Purpose Step 1 Displays TrustSec-related interface configuration.
  • Page 46 Chapter 3 Configuring Identities, Connections, and SGTs Verifying the Cisco TrustSec Interface Configuration Peer identity: "sanjose" Peer's advertised capabilities: "" 802.1X role: Supplicant Reauth period applied to link: Not applicable to Supplicant role Authorization Status: SUCCEEDED Peer SGT: Peer SGT assignment: Trusted...

  • Page 47: Manually Configuring A Device Sgt

    Manually Configuring a Device SGT In normal Cisco TrustSec operation, the authentication server assigns an SGT to the device for packets originating from the device. You can manually configure an SGT to be used if the authentication server is not accessible, but an authentication server-assigned SGT will take precedence over a manually-assigned SGT.

  • Page 48: Manually Configuring Ip-Address-To-Sgt Mapping

    • Subnet to SGT Mapping Subnet to SGT mapping binds an SGT to all host addresses of a specified subnet. TrustSec imposes the SGT on an incoming packet when the packet’s source IP address belongs to the specified subnet. The subnet and SGT are specified in the CLI with the cts role-based sgt-map net_address/prefix sgt sgt_number global configuration command.
  • Page 49 30). Specifies the number of bits in • the network address. Example: sgt number (0–65,535). Specifies the Security • switch(config)# cts role-based sgt-map 10.10.10.10/29 sgt 1234 Group Tag (SGT) number. Cisco TrustSec Configuration Guide 3-13 OL-22192-02...
  • Page 50 Example: switch# show running-config | include sgt 1234 switch# show running-config | include network-map Step 7 Copies the running configuration to the startup copy running-config startup-config configuration. Example: switch# copy running-config startup-config Cisco TrustSec Configuration Guide 3-14 OL-22192-02...

  • Page 51: Verifying Subnet To Sgt Mapping Configuration

    10.10.10.0/30 subnetwork, six expansions for the 11.11.11.0/29 subnetwork, and 14 expansions for the 192.168.1.0/28 subnetwork. Switch2# show cts sxp sgt-map brief | include 101|11111|65000 IPv4,SGT: <10.10.10.1 , 101> IPv4,SGT: <10.10.10.2 , 101> IPv4,SGT: <11.11.11.1 , 11111> IPv4,SGT: <11.11.11.2 , 11111> Cisco TrustSec Configuration Guide 3-15 OL-22192-02...

  • Page 52: Vlan To Sgt Mapping

    When a VLAN is assigned a gateway that is a switched virtual interface (SVI) on a TrustSec-capable switch, and IP Device Tracking is enabled on that switch, then TrustSec can create an IP to SGT binding for any active host on that VLAN mapped to the SVI subnet.

  • Page 53: Default Settings

    Task Flow for Configuring VLAN-SGT Mapping Create a VLAN on the TrustSec switch with the same VLAN_ID of the incoming VLAN. • Create an SVI for the VLAN on the TrustSec switch to be the default gateway for the endpoint • clients.
  • Page 54 (Optional) Displays the VLAN to SGT mappings. show cts role-based sgt-map {ipv4_netaddr | ipv4_netaddr/prefix | ipv6_netaddr| ipv6_netaddr/prefix | all [ipv4 | ipv6] | host {ipv4__addr | ipv6_addr} | summary [ipv4 | ipv6] Example: TS_switch# cts role-based sgt-map all Cisco TrustSec Configuration Guide 3-18 OL-22192-02...

  • Page 55: Verifying Vlan To Sgt Mapping

    In the following example, a single host connects to VLAN 100 on an access switch. The access switch has an access mode link to a Catalyst 6500 series TrustSec software-capable switch. A switched virtual interface on the TrustSec switch is the default gateway for the VLAN 100 endpoint (IP Address 10.1.1.1).

  • Page 56: Layer 3 Logical Interface To Sgt Mapping (L3If-Sgt Mapping)

    Step 5 TS_switch(config)# cts role-based sgt-map vlan 100 sgt 10 Step 6 Enable IP Device Tracking on the TrustSec switch. Verify that it is operating. TS_switch(config)# ip device tracking TS_switch# show ip device tracking all IP Device Tracking = Enabled...

  • Page 57: Feature History For L3If-Sgt Mapping

    Manually Configuring IP-Address-to-SGT Mapping Use the cts role-based sgt-map interface global configuration command to specify either a specific SGT number, or a Security Group Name (whose SGT association is dynamically acquired from a Cisco ISE or a Cisco ACS access server).

  • Page 58: Configuration Example For L3If To Sgt Mapping On An Ingress Port

    = 15 Binding Source Priorities TrustSec resolves conflicts among IP-SGT binding sources with a strict priority scheme. For example, an SGT may be applied to an interface with the policy {dynamic identity peer-name | static sgt tag} CTS Manual interface mode command (Identity Port Mapping). The current priority enforcement order, from lowest (1) to highest (7), is as follows: VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping...

  • Page 59: Configuring Additional Authentication Server-Related Parameters

    INTERNAL—Bindings between locally configured IP addresses and the device own SGT. Configuring Additional Authentication Server-Related Parameters To configure the interaction between a switch and the Cisco TrustSec server, perform one or more of these tasks: Detailed Steps for Catalyst 6500...

  • Page 60: Automatically Configuring A New Or Replacement Password With The Authentication Server

    IP address of the authentication • server. port—The UDP port of the authentication server. • key secret—The RADIUS shared secret of the • authentication server. a-id a-id—The A-ID associated with the • authentication server. Cisco TrustSec Configuration Guide 3-24 OL-22192-02...
  • Page 61 • Cisco TrustSec SGT Exchange Protocol Feature Histories For a list of supported TrustSec features per platform and the minimum required IOS release, see the Cisco TrustSec Platform Support Matrix at the following URL: (final URL posted with TS 4.0) http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html...

  • Page 62: Configuring Sgt Exchange Protocol Over Tcp (Sxp) And Layer 3 Transport

    If a default SXP source IP address is not configured and you do not configure an SXP source address in Note the connection, the Cisco TrustSec software derives the SXP source IP address from existing local IP addresses. The SXP source address might be different for each TCP connection initiated from the switch.
  • Page 63 Chapter 4 Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport Configuring Cisco TrustSec SXP To configure the SXP peer connection, perform this task: Detailed Steps for Catalyst 6500 Command Purpose Step 1 Enters global configuration mode. Router# configure terminal Step 2 Configures the SXP address connection.

  • Page 64: Configuring The Default Sxp Password

    Configuring the Default SXP Password By default, SXP uses no password when setting up connections. You can configure a default SXP password for the switch. In Cisco IOS Release 12.2(50)SY and later releases, you can specify an encrypted password for the SXP default password.

  • Page 65: Changing The Sxp Reconciliation Period

    The SXP retry period determines how often the Cisco TrustSec software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco TrustSec software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 120 seconds.

  • Page 66: Verifying The Sxp Connections

    12.2(50) SY This feature was introduced on the Catalyst 6500 series switches. You can configure Layer 3 SGT Transport on Cisco TrustSec gateway devices on the edges of a network domain that has no Cisco TrustSec-capable devices. Cisco TrustSec Configuration Guide...
  • Page 67 When configuring Cisco TrustSec Layer 3 SGT transport, consider these usage guidelines and restrictions: The Cisco TrustSec Layer 3 SGT transport feature can be configured only on ports that support • hardware encryption. Traffic and exception policies for Cisco TrustSec Layer 3 SGT transport have the following •...

  • Page 68: Configuring Cisco Trustsec Reflector For Cisco Trustsec-Incapable Switching Modules

    If the authentication server is not available and no traffic policy has been manually configured, – no Cisco TrustSec Layer 3 encapsulation will be performed on the interface. This example shows how to configure Layer 3 SGT Transport to a remote Cisco TrustSec domain: Router# configure terminal Router(config)# ip access-list extended traffic-list Router(config-ext-nacl)# permit ip any 10.1.1.0 0.0.0.255...

  • Page 69: Configuring Cisco Trustsec Caching

    Router(config)# platform cts ingress Router(config)# exit Router# show platform cts CTS Ingress mode enabled Before disabling the Cisco TrustSec ingress reflector, you must remove power from the Cisco Note TrustSec-incapable switching modules. To configure the Cisco TrustSec egress reflector function, perform this task.

  • Page 70: Clearing The Cisco Trustsec Cache

    Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport Configuring Cisco TrustSec Caching of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory.

  • Page 71: Configuring Sgacl Policies

    Refreshing the Downloaded SGACL Policies, page 5-7 • Cisco TrustSec SGACL Feature Histories For a list of supported TrustSec features per platform and the minimum required IOS release, see the Cisco TrustSec Platform Support Matrix at the following URL: http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html Otherwise, see product release notes for detailed feature introduction information.

  • Page 72: Sgacl Policy Configuration Process

    Cisco Identity Services Engine User Guide). If you are not using AAA on a Cisco Secure ACS or a Cisco ISE to download the SGACL policy configuration, you can manually configure the SGACL mapping and policies (see the “Manually Configuring SGACL Policies”...

  • Page 73: Enabling Sgacl Policy Enforcement Per Interface

    Enabling SGACL Policy Enforcement Per Interface Enabling SGACL Policy Enforcement Per Interface You must first enable SGACL policy enforcement globally for Cisco TrustSec-enabled routed interfaces. This feature is not supported on Port Channel interfaces. To enable SGACL policy enforcement on Layer 3 interfaces, perform this task:...

  • Page 74: Manually Configuring Sgacl Policies

    Manually Configuring SGACL Policies Manually Configuring SGACL Policies A role-based access control list bound to a range of SGTs and DGTs forms an SGACL, a TrustSec policy enforced on egress traffic. Configuration of SGACL policies are best done through the policy management functions of the Cisco ISE or the Cisco Secure ACS.

  • Page 75: Configuration Examples For Manually Configuring Sgacl Policies

    [no] cts role-based permissions {default |[from {sgt_num | unknown} to {dgt_num | configuration is analogous to populating the unknown}]{rbacls | ipv4 rbacls} permission matrix configured on the Cisco ISE or the Cisco Secure ACS. Default—Default permissions list • sgt_num—0 to 65,519. Source Group Tag •...

  • Page 76: Displaying Sgacl Policies

    Displaying SGACL Policies Displaying SGACL Policies After configuring the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec SGACL policies downloaded from the authentication server or configured manually. Cisco TrustSec downloads the SGACL policies when it learns of a new SGT through authentication and authorization on an interface, from SXP, or from manual IP address to SGT mapping.

  • Page 77: Refreshing The Downloaded Sgacl Policies

    SGT are refreshed. To refresh all security group tag policies, press Enter without specifying an SGT number. Select default to refresh the default policy. Select unknown to refresh unknown policy. Switch3850# cts refresh policy peer my_cisco_ise Cisco TrustSec Switch Configuration Guide OL-22192-02...
  • Page 78 Chapter 5 Configuring SGACL Policies Refreshing the Downloaded SGACL Policies Cisco TrustSec Switch Configuration Guide OL-22192-02...

  • Page 79: Configuring Endpoint Admission Control

    • Information About Endpoint Admission Control In TrustSec networks, packets are filtered at the egress, not the ingress to the network. In TrustSec endpoint authentication, a host accessing the TrustSec domain (endpoint IP address) is associated with a Security Group Tag (SGT) at the access device through DHCP snooping and IP device tracking. The access device transmits that association (binding) through SXP to TrustSec hardware-capable egress devices, which maintain a continually updated table of Source IP to SGT bindings.

  • Page 80: Basic Eac Configuration Sequence

    Configuring Endpoint Admission Control Basic EAC Configuration Sequence Basic EAC Configuration Sequence Configure the Cisco Secure ACS to provision SGTs to authenticated endpoint hosts. Enable SXP on access switches. See the chapter, “Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport.”...

  • Page 81: Mac Authentication Bypass Configuration

    2/1 details MAB details for GigabitEthernet2/1 ------------------------------------- Mac-Auth-Bypass = Enabled MAB Client List --------------- Client MAC = 000c.293a.048e Session ID = AC1AD01F0000000A04CD41AC MAB SM state = ACQUIRING Auth Status = UNAUTHORIZED Cisco TrustSec Configuration Guide OL-22192-01...

  • Page 82: Web Authentication Proxy Configuration

    Web Authentication Proxy (WebAuth) allows the user to use a web browser to transmit their login credentials to the Cisco Secure ACS though a Cisco IOS web server on the access device. WebAuth can be enabled independently. It does not require 802.1X or MAB to be configured.

  • Page 83: Flexible Authentication Sequence And Failover Configuration

    For more detailed information on authentication method sequence configuration, see the configuration guide for your access switch. For additional information on FAS, see the Cisco document, Flexible Authentication Order, Priority, and Failed Authentication at the following URL: http://www.ciscosystems.com.pe/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_n ote_c27-573287_ps6638_Products_White_Paper.html 802.1X Host Modes...

  • Page 84: Dhcp Snooping And Sgt Assignment

    ACL programming, etc.). For TrustSec networks, a Security Group Tag (SGT) is assigned per the user configuration in the Cisco ACS. The SGT is bound to traffic sent from that endpoint through DHCP snooping and the IP device tracking infrastructure.

  • Page 85: Cisco Trustsec Endpoint Access Control Feature Histories

    Cisco TrustSec Endpoint Access Control Feature Histories For a list of supported platforms, supported features, and the minimum required IOS releases, see the Cisco TrustSec Platform Support Matrix at the following URL: http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html Otherwise, see product release notes for detailed feature introduction information.
  • Page 86 Chapter 6 Configuring Endpoint Admission Control Cisco TrustSec Endpoint Access Control Feature Histories Cisco TrustSec Configuration Guide OL-22192-01...

  • Page 87: Cisco Trustsec Command Summary

    Refresh environment, peer and RBACL policies. cts rekey CTS SAP rekey cts role-based policy trace TrustSec SGT and SGACL trace utility. Cisco TrustSec Global Configuration Commands cts authorization list Configures CTS global authorization configuration. cts cache Enables caching of TrustSec authorization and environment-data information to DRAM and NVRAM.
  • Page 88 (cts manual interface submode) Configures CTS SAP for manual mode. Cisco TrustSec Clear Commands clear cts cache Clears TrustSec cache file by type, by filename or all cache files. clear cts counter Clears the counters for a single TrustSec interface...
  • Page 89 Chapter 7 Cisco TrustSec Command Summary Cisco TrustSec Show Commands show cts authorization entries Displays the authorization entries. show cts credentials Displays credentials used for CTS authentication. show cts environment-data Displays the CTS environment data. show cts interface Displays CTS states and statistics per interface.
  • Page 90 Chapter 7 Cisco TrustSec Command Summary Debug Commands debug authentication event debug authentication feature debug condition cts peer-id debug condition cts Filters CTS debugging messages by interface name, peer-id, peer-SGT or Security Group name. debug condition cts peer-id debug condition cts security-group...
  • Page 91 Chapter 7 Cisco TrustSec Command Summary debug cts server-list debug cts states debug cts sxp debug cts sxp conn debug cts sxp error debug cts sxp internal debug cts sxp mdb debug cts sxp message debug dot.1x debug epm debug event...
  • Page 92 To specify a list of AAA servers to use by the TrustSec seed device, use the cts authorization command on the TrustSec seed device in global configuration mode. Use the no form of the command to stop using the list during authentication.
  • Page 93 DRAM and NVRAM. Cisco TrustSec creates a secure cloud of devices in a network by requiring that each device authenticate and authorize its neighbors with a trusted AAA server (Cisco Secure ACS 5.1 or more recent) before being granted access to the TrustSec network.
  • Page 94 Chapter 7 Cisco TrustSec Command Summary cts cache formation of the CTS cloud upon reboot, improving network availability, and reducing the load on the ACS. Caching can be stored in volatile memory (information does not survive a reboot) or nonvolatile memory (information survives a reboot).
  • Page 95 Usage Guidelines The cts change-password command allows an administrator to change the password used between the local device the Cisco Secure ACS authentication server, without having to also reconfigure the authentication server. The cts change-password is supported on Cisco Secure ACS, 5.1 and more recent versions.
  • Page 96 (NVGEN) because the CTS credential information is saved in the keystore, not in the startup-config. The device can be assigned a CTS identity by the Cisco Secure Access Control Server (ACS), or auto-generate a new password when prompted to do so by the ACS.
  • Page 97 Examples The following example configures himalaya and cisco as the CTS device ID and password: Router# cts credentials id himalaya password cisco CTS device ID and password have been inserted in the local keystore. Please make sure that the same ID and password are configured in the server database.
  • Page 98 Use the cts dot1x command to enter CTS dot1x interface configuration mode (config-if-cts-dot1x) to configure the TrustSec reauthentication timer on an interface. Use the no form of the command to disable the timers on an interface. [no] cts dot1x Syntax Description This command has no arguments or keywords.
  • Page 99 Chapter 7 Cisco TrustSec Command Summary cts dot1x Related Commands Command Description default timer Resets the CTS dot1x reauthentication timer to the default value. reauthentication (cts interface) timer reauthentication Sets the CTS dot1x reauthentication timer. (cts interface) show cts interface Displays CTS interface status and configurations.
  • Page 100 Chapter 7 Cisco TrustSec Command Summary default timer reauthentication (cts interface) default timer reauthentication (cts interface) Use the default timer reauthentication command in CTS interface configuration mode to reset the CTS dot1x reauthentication timer to the default value. default timer reauthentication Syntax Description timer reauthentication Sets the CTS reauthentication timer to the default values.
  • Page 101 12.2(33) SXI This command was introduced on the Catalyst 6500 series switches. Usage Guidelines This command sets the TrustSec reauthentication timer. When this timer expires, the device reauthenticates to the CTS network (NDAC). Examples The following example sets the reauthentication timer to 44 seconds:...
  • Page 102 Use the cts layer 3 interface configuration command to enable CTS Layer3 Transport gateway interfaces, and to apply exception and traffic policies to them. cts layer3 {ipv4 | ipv6} {policy | trustsec forwarding} Syntax Description ipv4 | ipv6...
  • Page 103 Chapter 7 Cisco TrustSec Command Summary cts manual cts manual Use the cts manual interface configuration command to enter the TrustSec manual interface configuration submode. cts manual Syntax Description There is no syntax for this command Defaults There is no default for this command.
  • Page 104 Chapter 7 Cisco TrustSec Command Summary cts manual Related Commands Command Description policy (cts manual interface configuration submode) sap (cts manual interface submode) show cts interface Cisco TrustSec Configuration Guide 7-18 OL-22192-01...
  • Page 105 The CTS Layer 3 Transport feature permits Layer 2 SGT-tagged traffic from TrustSec-enabled network segments to be transported over non-TrustSec network segments by the application and removal of a Layer 3 encapsulation at specified CTS Layer 3 gateways. A traffic policy is an access list that lists all the TrustSec-enabled subnets and their corresponding gateway addresses.
  • Page 106 Cisco TrustSec Command Summary cts policy layer3 Configure Cisco TrustSec Layer 3 SGT transport with these usage guidelines and restrictions: The Cisco TrustSec Layer 3 SGT transport feature can be configured only on ports that support • hardware encryption. Traffic and exception policies for Cisco TrustSec Layer 3 SGT transport have the following •...
  • Page 107 To refresh the TrustSec peer authorization policy and of all or specific CTS peers, or to refresh the SGACL policies downloaded to the switch by the authentication server, use the cts refresh command in privileged EXEC mode.
  • Page 108 Chapter 7 Cisco TrustSec Command Summary cts refresh Examples The following example refreshes the TrustSec peer authorization policy of all peers: Router# cts policy refresh Policy refresh in progress The following example displays the TrustSec peer authorization policy of all peers:...
  • Page 109 To manually force a PMK refresh use the cts rekey command. TrustSec supports a manual configuration mode where Dot1X authentication is not required to create link-to-link encryption between switches. In this case, the PMK is manually configured on devices on both ends of the link with the sap pmk CTS manual interface configuration command.
  • Page 110 Chapter 7 Cisco TrustSec Command Summary cts rekey Related Commands Command Description sap (cts manual interface submode) show cts Cisco TrustSec Configuration Guide 7-24 OL-22192-01...
  • Page 111 To troubleshoot SGT and SGACL behavior in TrustSec network devices, use the cts role-based policy trace privileged EXEC command. cts role-based policy trace {ipv4 | ipv6} {tcp | udp} source_host ip_address eq {protocol name |...
  • Page 112 Chapter 7 Cisco TrustSec Command Summary cts role-based policy trace protocol name | Specifies either the host-to-host protocol name or its well-known port wellknown_port_num number when UDP or TCP is selected as the Internet Protocol. Supported protocols and their associated well-known port numbers are as follows: 0 to 65535—Protocol Port number space.
  • Page 113 The cts role-based policy trace procedure is summarized as follows: Discover the network path. Know the topology of the entire TrustSec network before executing the command. Standard network discovery methods such as IP traceroute, CDP or other methods can be used to obtain this information.
  • Page 114 Chapter 7 Cisco TrustSec Command Summary cts role-based policy trace Protocol : UDP Source IP Address : 10.2.2.1 Source Port : 177 Destination IP Address : 10.1.1.2 Destination Port : 80 Result: ========== Source SGT mapped to Int Gi 1/1 : 6 Destination IP: 10.1.1.2...
  • Page 115 Cisco TrustSec Command Summary cts role-based cts role-based Use the cts role-based global configuration command to manually configure SGT impositions, TrustSec NetFlow parameters, and SGACL enforcement. Use the no form of the command to remove the configurations. [no] cts role-based enforcement [vlan-list {vlan-ids | all}]...
  • Page 116 • Usage Guidelines If you do not have a Cisco Identity Services Engine, Cisco Secure ACS, dynamic ARP inspection, DHCP snooping, or Host Tracking available to your switch to automatically map SGTs to source IP addresses, you can manually map an SGT to the following with the cts role-based sgt-map command: A single host IPv4 or IPv6 address •...
  • Page 117 SGT. A security group information table that maps SGTs to security group names is downloaded from the authentication server with the TrustSec environment data. The cts role-based sgt-map interface security-group command is rejected if a security group name table is not available.
  • Page 118 Cisco TrustSec Command Summary cts role-based TrustSec resolves conflicts among IP-SGT binding sources in the master binding data-base with a strict priority scheme. For example, an SGT may also be applied to an interface with the policy {dynamic identity peer-name | static sgt tag} cts interface command (Identity Port Mapping).
  • Page 119 To collect only SGACL dropped packets, use the [no] cts role-based {ip | ipv6} flow monitor dropped global configuration command. For Flexible NetFlow overview and configuration information, see the following documents: Getting Started with Configuring Cisco IOS Flexible NetFlow http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/get_start_cfg_fnflow.html Cisco IOS Flexible NetFlow Configuration Guide, Release 15.0SY http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-0sy/fnf-15-0sy-book.html...
  • Page 120 Chapter 7 Cisco TrustSec Command Summary cts role-based In the following example, a Catalyst 6500 series includes VLAN 57, and 89 through 101 to VRF l2ipv4. The VRF was created with the vrf global configuration command. Cat6k(config)# cts role-based l2-vrf l2ipv4 vlan-list 57, 89-101...
  • Page 121 The default is 20 seconds; the range is 1 to 864000. load-balance method least-outstanding Enables RADIUS load balancing for the Cisco TrustSec private server group and chooses the server with the least outstanding transactions. By default, no load balancing is applied.
  • Page 122 Information on RADIUS server load balancing is available at the following URL: http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html Examples The following example shows how to configure server settings and how to display the Cisco TrustSec server list: Router# configure terminal Router(config)# cts server load-balance method least-outstanding batch-size 50...
  • Page 123 Chapter 7 Cisco TrustSec Command Summary cts server Related Commands Command Description show cts server-list Displays lists of AAA servers and load-balancing configurations. Cisco TrustSec Configuration Guide 7-37 OL-22192-01...
  • Page 124 This command was introduced on the Catalyst 3750(X) series switches. Usage Guidelines In normal Cisco TrustSec operation, the authentication server assigns an SGT to the device for packets originating from the device. You can manually configure an SGT to be used if the authentication server is not accessible, but an authentication server-assigned SGT will take precedence over a manually assigned SGT.
  • Page 125 Chapter 7 Cisco TrustSec Command Summary cts sxp cts sxp To configure SXP on a network device, use the cts sxp global configuration command. This command enables SXP, determines the SXP password, the peer speaker/listener relationship, and the reconciliation period. It also toggles the binding changes log on or off. Use the no form of the command to disable SXP configurations.
  • Page 126 (if configured), or the address of the port. enable Enables SGT Exchange Protocol over TCP (SXP) for Cisco TrustSec. log binding-changes Turns on logging for IP to SGT binding changes. Default is off.
  • Page 127 Delete Hold Down timer expires, the SXP Reconciliation timer starts. While the SXP Reconciliation period timer is active, the Cisco TrustSec software retains the SGT mapping entries learned from the previous connection and removes invalid entries. The default value is 120 seconds (2 minutes).
  • Page 128 Chapter 7 Cisco TrustSec Command Summary cts sxp Examples The following example shows how to enable SXP and configure the SXP peer connection on SwitchA, a speaker, for connection to SwitchB, a listener: SwitchA# configure terminal SwitchA#(config)# cts sxp enable SwitchA#(config)# cts sxp default password Cisco123 SwitchA#(config)# cts sxp default source-ip 10.10.1.1...
  • Page 129 The interface-controller keyword was introduced on the Catalyst 6500 series switches. Examples The following example deletes environment data from cache: Router# clear cts cache environment-data Router# Clearing peer authorization and SGT policies are relevant only to TrustSec devices capable of Note enforcing SGACLs. Related Commands Command Description...
  • Page 130 Chapter 7 Cisco TrustSec Command Summary clear cts counter clear cts counter To clear TrustSec statistics on a specified interface, use the clear cts counter privileged EXEC command. clear cts counter [type slot/port] Syntax Description type slot/port (Optional) Specifies the interface type, slot, and port of the interface to clear.
  • Page 131 Chapter 7 Cisco TrustSec Command Summary clear cts counter Related Commands Command Description show cts interface Displays CTS interface status and configurations. Cisco TrustSec Configuration Guide 7-45 OL-22192-01...
  • Page 132 Chapter 7 Cisco TrustSec Command Summary clear cts credentials clear cts credentials To delete the Trustsec device ID and password, use the clear cts credentials command in privileged EXEC mode. clear cts credentials Syntax Description This command has no arguments or keywords.
  • Page 133 Chapter 7 Cisco TrustSec Command Summary clear cts environment-data clear cts environment-data To delete the TrustSec environment data from cache, use the clear cts environment-data command in Privileged EXEC mode. clear cts environment-data Syntax Description This command has no arguments or keywords.
  • Page 134 Chapter 7 Cisco TrustSec Command Summary clear cts macsec clear cts macsec To clear the MACsec counters for a specified interface, use the clear cts macsec counters command. clear cts macsec counters interface type slot/port Syntax Description interface type slot/port Specifes the interface.
  • Page 135 Cisco TrustSec Command Summary clear cts pac clear cts pac To clear TrustSec Protected Access Credential (PAC) information from the keystore, use the clear cts pac command in privileged EXEC mode. clear cts pac {A-ID hexstring | all} Syntax Description...
  • Page 136 Cisco TrustSec Command Summary clear cts policy clear cts policy To delete the peer authorization policy of a TrustSec peer, use the the clear cts policy command in privileged EXEC mode. clear cts policy {peer [peer_id] | sgt [sgt]} Syntax Description peer peer_id Specifies the peer ID of the TrustSec peer device.
  • Page 137 Chapter 7 Cisco TrustSec Command Summary clear cts policy Related Commands Command Description cts refresh Forces refresh of peer authorization policies. show cts policy peer Displays the peer authorization policies of TrustSec peers. Cisco TrustSec Configuration Guide 7-51 OL-22192-01...
  • Page 138 Chapter 7 Cisco TrustSec Command Summary clear cts role-based counters clear cts role-based counters To reset Security Group ACL statistic counters, use the the clear cts role-basedcounters command in EXEC or Privileged EXEC mode. clear cts role-based counters default [ipv4 | ipv6]...
  • Page 139 Chapter 7 Cisco TrustSec Command Summary clear cts role-based counters Specify the source SGT with the from keyword and the destination SGT with the to keyword. The counters for the entire permission matrix are cleared when both the from and clauses to keywords are omitted.
  • Page 140 Chapter 7 Cisco TrustSec Command Summary clear cts server clear cts server To remove a server from the CTS AAA server list, use the clear cts server command. clear cts server ip_address Syntax Description ip_address IPv4 address of the AAA server to be removed from the server list.
  • Page 141 Chapter 7 Cisco TrustSec Command Summary default (cts dot1x interface configuration submode) default (cts dot1x interface configuration submode) To restore any of the cts dot1x configurations to their default values, use the default command in CTS dot1x interface configuration submode.
  • Page 142 Use the debug condition cts to set match criteria (conditions) to filter TrustSec debug cts messages on Peer ID, Security Group Tag (SGT), or Security Group Name (SGN). Use the no form of the command to remove debug condtions.
  • Page 143 Chapter 7 Cisco TrustSec Command Summary debug condition cts Condition 1: cts peer-id Zoombox (0 flags triggered) Condition 2: cts security-group tag 7 (0 flags triggered) Condition 3: cts security-group name engineering (0 flags triggered) switch# debug cts ifc events...
  • Page 144 Chapter 7 Cisco TrustSec Command Summary default (cts manual interface configuration submode) default (cts manual interface configuration submode) To restore any of the cts manual configurations to their default values, use the default command in CTS manual interface configuration submode.
  • Page 145 Chapter 7 Cisco TrustSec Command Summary default (cts manual interface configuration submode) Related Commands Command Description policy (cts manual Configures CTS policy for manual mode interface configuration submode) sap (cts manual Configures CTS SAP for manual mode. interface submode) Cisco TrustSec Configuration Guide...
  • Page 146 Cisco TrustSec Command Summary match flow cts match flow cts To add the Cisco TrustSec flow objects to a Flexible NetFlow flow record, use the match flow cts record configuration command. [no] match flow cts destination group-tag [no] match flow cts source group-tag...
  • Page 147 Chapter 7 Cisco TrustSec Command Summary match flow cts Examples The following example configures an IPV4 Flow Record (5-tuple, direction, SGT, DGT): router(config)# flow record cts-record-ipv4 router(config-flow-record)# match ipv4 protocol router(config-flow-record)# match ipv4 source address router(config-flow-record)# match ipv4 destination address...
  • Page 148 Cisco TrustSec Command Summary platform cts platform cts To enable the TrustSec egress or ingress reflector use the platform cts global config command. Use the no form of the command to disable the reflector. [no] platform cts {egress | ingress}...
  • Page 149 (cts manual interface configuration submode) policy (cts manual interface configuration submode) To apply a policy to a manually configured TrustSec link, use the policy interface manual submode command. Use the no form of the command to remove a policy.
  • Page 150 Examples The following example applies an SGT 3 to incoming traffic from the peer, except for traffic already tagged (the interface that has no communication with a Cisco Secure ACS server): Router# configure terminal Router(config)# interface gi2/1...
  • Page 151 Related Commands Command Description show cts interface Displays TrustSec configuration statistics per interface. default (cts manual Restores default configurations for CTS manual mode. interface configuration submode) policy (cts manual Configures CTS policy for manual mode.
  • Page 152 Cisco TrustSec Command Summary propagate (cts dot1x submode) propagate (cts dot1x submode) To enable and disable the SGT propagation on a Cisco TrustSec interface, use the propagate sgt command in CTS dot1x interface configuration submode. [no] propagate sgt Syntax Description Specifies CTS SGT propagation.
  • Page 153 Disabled <snip> . . . Related Commands Command Description show cts interface Displays Cisco TrustSec states and statistics per interface. sap (cts dot1x interface Configures CTS SAP for dot1x mode. submode) timer (cts do1x interface Configures the CTS timer. submode)
  • Page 154 A TrustSec-capable interface can support MACsec (Layer2 802.1AE security) and SGT tagging. A TrustSec-capable interface attempts to negotiate the most secure mode with its peer. The peer may be capable of MACsec but not capable of SGT processing. In a manual CTS interface configuration, disable the SGT propagation on the CTS-capable interface if you are only implementing the MACsec feature.
  • Page 155 Chapter 7 Cisco TrustSec Command Summary propagate (cts manual interface configuration submode) Related Commands Command Description show cts interface Displays Cisco TrustSec states and statistics per interface. show running-config Displays current system configurations. Cisco TrustSec Configuration Guide 7-69 OL-22192-01...
  • Page 156 Before the SAP exchange begins after a Dot1x authentication, both sides (supplicant and authenticator) have received the Pairwise Master Key (PMK) and the MAC address of the peer’s port from the Cisco Secure Access Control Server (Cisco Secure ACS). If 802.1X authentication is not possible, SAP, and the PMK can be manually configured between two interfaces in CTS manual configuration mode.
  • Page 157 (cts dot1x interface submode) Use the timer reauthentication command to configure the reauthentication period to be applied to the CTS link in case the period is not available from the Cisco Secure ACS. The default reauthentication period is 86,400 seconds.
  • Page 158 Usage Guidelines The Security Association Protocol (SAP) is an encryption key derivation and exchange protocol based on a draft version of the 802.11i IEEE protocol. In a TrustSec configuration, the keys are used for MACsec link-to-link encryption between two interfaces.
  • Page 159 (cts manual Configures CTS policy for manual mode interface configuration submode) propagate (cts manual Configures CTS SGT Propagation configuration for manual mode interface configuration submode) show cts interface Displays TrustSec configuration statistics per interface. Cisco TrustSec Configuration Guide 7-73 OL-22192-01...
  • Page 160 Chapter 7 Cisco TrustSec Command Summary show cts show cts To display states and statistics related to Cisco TrustSec, use the show cts Privileged EXEC command. show cts [ authorization entries | credentials | environment-data interface {type slot/port | vlan vlan_number |...
  • Page 161 Global Dot1x feature: Enabled CTS device identity: "dcas1" CTS caching support: disabled Number of CTS interfaces in DOT1X mode: MANUAL mode: 5 Number of CTS interfaces in LAYER3 TrustSec mode: 0 Number of CTS interfaces in corresponding IFC state INIT state: AUTHENTICATING...
  • Page 162 Chapter 7 Cisco TrustSec Command Summary show cts Related Commands Command Description cts credentials Specifies the TrustSec ID and password. Cisco TrustSec Configuration Guide 7-76 OL-22192-01...
  • Page 163 Chapter 7 Cisco TrustSec Command Summary show cts authorization entries show cts authorization entries To display TrustSec NDAC authorization entries, use the show cts authorization entries command in EXEC or privileged EXEC mode. show cts authorization entries Syntax Description This command has no arguments or keywords.
  • Page 164 Policy expires in 0:00:29:27 (dd:hr:mm:sec) Policy refreshes in 0:00:29:27 (dd:hr:mm:sec) Retry_timer = not running Cache data applied = NONE Entry status = SUCCEEDED Related Commands Command Description cts credentials Specifies the TrustSec ID and password. Cisco TrustSec Configuration Guide 7-78 OL-22192-01...
  • Page 165 Chapter 7 Cisco TrustSec Command Summary show cts credentials show cts credentials To display the TrustSec device ID, use the show cts credentials command in EXEC or privileged EXEC mode. show cts credentials Syntax Description This command has no commands or keywords.
  • Page 166 Chapter 7 Cisco TrustSec Command Summary show cts environment-data show cts environment-data To display the TrustSec environment data, use the show cts environment-data command in EXEC or privileged EXEC mode. show cts environment-data Syntax Description This command has no commands or keywords.
  • Page 167 Chapter 7 Cisco TrustSec Command Summary show cts environment-data Related Commands Command Description clear cts environment-data Clears TrustSec environment data from cache. Cisco TrustSec Configuration Guide 7-81 OL-22192-01...
  • Page 168 Chapter 7 Cisco TrustSec Command Summary show cts interface show cts interface To display TrustSec configuration statistics, use the show cts interface command in EXEC or privileged EXEC mode. show cts interface [type slot/port] | [brief] | [summary] Syntax Description type slot/port (Optional) Specifies an interface type and slot and port number.
  • Page 169 Chapter 7 Cisco TrustSec Command Summary show cts interface Replay protection: enabled Replay protection mode: OUT-OF-ORDER SPI range: (256, 1023) Pairwise Master Session Key: 27C2DF9D 7C686B03 C930D003 95F83737 6AC0276C 8160FE3C 0C33EF9A C01FCBAC Selected cipher: Current receive SPI: Current transmit SPI:...
  • Page 170 Chapter 7 Cisco TrustSec Command Summary show cts interface The following example displays output using the brief keyword: Router# show cts interface brief Global Dot1x feature is Enabled Interface GigabitEthernet4/1: CTS is enabled, mode: DOT1X IFC state: OPEN Authentication Status:...
  • Page 171 Chapter 7 Cisco TrustSec Command Summary show cts macsec show cts macsec To display crypto ASIC packet counters per interface related to CTS link-to-link encryption, use the show cts macsec command. show cts macsec counters interface interface_type slot/port [delta] Syntax Description interface interface_type slot/port Specifies the CTS MACsec interface.
  • Page 172 Chapter 7 Cisco TrustSec Command Summary show cts macsec ifInDiscards = 0 ifInUnknownProtos = 0 ifOutDiscards = 0 dot1dDelayExceededDiscards = 0 txCRC = 0 linkChange = 0 Related Commands Command Description show cts interface sap (cts dot1x interface submode) sap (cts manual interface...
  • Page 173 Use this command to identify the NDAC authenticator and to verify NDAC completion. Examples The following example displays the Protected Access Credential (PAC) received from a Cisco ACS with the authenticator ID (A-ID–Info) of acs1 by the device named atlas:...
  • Page 174 12.2(50) SY This command was introduced on the Catalyst 6500 series switches. Usage Guidelines A traffic or exception policy may be configured locally, or obtained from the Cisco Secure ACS. See the section, “cts policy layer3” for additional information on the CTS Layer3 Transport feature.
  • Page 175 Cisco TrustSec Command Summary show cts policy peer show cts policy peer To display the peer authorization policy data of TrustSec peers, use the show cts policy peer command in EXEC or privileged EXEC mode. show cts policy peer Syntax Description This command has no commands or keywords.
  • Page 176 This policy was not populated from cache, i.e., it was acquired from the ACS Related Commands Command Description cts refresh Forces refresh of peer authorization policies. clear cts policy Clears the peer authorization policy of a TrustSec peer. Cisco TrustSec Configuration Guide 7-90 OL-22192-01...
  • Page 177 Chapter 7 Cisco TrustSec Command Summary show cts provisioning show cts provisioning Use the show cts provisioning command in EXEC or Privileged EXEC mode to display waiting RADIUS server CTS provisioning jobs. show cts provisioning Syntax Description This command has no commands or keywords.
  • Page 178 Chapter 7 Cisco TrustSec Command Summary show cts role-based counters show cts role-based counters To display Security Group ACL enforcement statistics, use the show cts role-based counters show command. Use the clear cts role-based counters command to clear the counters.
  • Page 179 Chapter 7 Cisco TrustSec Command Summary show cts role-based counters Examples The following example displays all enforcement statistics for IPv4 and IPv6 events: router# show cts role-based counters Role-based counters From SW-Denied HW-Denied SW-Permitted HW_Permitted 89762 7564328 123456 1325 12345678...
  • Page 180 Chapter 7 Cisco TrustSec Command Summary show cts role-based sgt-map show cts role-based sgt-map To display the SXP source IP to SGT bindings table (IP–SGT bindings), use the show cts role-based sgt-map command in EXEC or privileged EXEC mode. show cts role-based sgt-map {ipv4_dec | ipv4_cidr | ipv6_hex | ipv6_cidr | all [ipv4 | ipv6] |...
  • Page 181 Chapter 7 Cisco TrustSec Command Summary show cts role-based sgt-map Usage Guidelines Use this command to verify that SXP is correctly binding source IP addresses to the appropriate Security Group Tags (SGTs). VRF reports are available only from Privileged EXEC mode.
  • Page 182 Cisco TrustSec Command Summary show cts server-list show cts server-list To display the list of RADIUS servers available to TrustSec seed and nonseed devices, use the show cts server-list command in EXEC or privileged EXEC mode. show cts server-list Syntax Description This command has no commands or keywords.
  • Page 183 Chapter 7 Cisco TrustSec Command Summary show cts sxp show cts sxp To display SXP connection or SourceIP-to-SGT mapping information, use the show cts sxp command in EXEC or privileged EXEC mode. show cts sxp {connections | sgt-map} [brief | vrf instance_name]...
  • Page 184 Chapter 7 Cisco TrustSec Command Summary show cts sxp The following example displays the SXP connections on a Catalyst 6500 switch using the brief keyword: Router# show cts sxp connection brief : Enabled Default Password : Set Default Source IP: Not Set...
  • Page 185 Chapter 7 Cisco TrustSec Command Summary show cts sxp Peer IP : 2.2.2.1 Source IP : 2.2.2.2 Set up : Peer Conn status : Delete_Hold_Down Connection mode : SXP Listener Connection inst# : 1 TCP conn fd : -1 TCP conn password: not set (using default SXP password)
  • Page 186 Chapter 7 Cisco TrustSec Command Summary show cts keystore show cts keystore To display the contents of the software or hardware encryption keystore, use the show cts keystore command in EXEC or privileged EXEC mode. show cts keystore Syntax Description This command has no commands or keywords.
  • Page 187 RX bad checksums = 0 RX bad fragment lengths = 0 Corruption Detected in keystore = 0 Related Commands Command Description cts credentials Specifies the TrustSec ID and password. cts sxp Configures SXP on a network device. Cisco TrustSec Configuration Guide 7-101 OL-22192-01...
  • Page 188 To display the status of the Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS) on a specific interface, use the show platform cts reflector command. show platformcts reflector interface type slot/port Syntax Description interface type slot/port Specifies the interface type, slot and port for which to display status.
  • Page 189 172800 Related Commands Command Description show cts interface Displays Cisco TrustSec states and statistics per interface. sap (cts dot1x interface Configures CTS SAP for dot1x mode. submode) propagate (cts dot1x Enables/disables SGT propagation in dot1x mode.
  • Page 190 Chapter 7 Cisco TrustSec Command Summary timer (cts do1x interface submode) Cisco TrustSec Configuration Guide 7-104 OL-22192-01...

  • Page 191: Controllers

    Configuration Guidelines and Restrictions Global Cat3K Restrictions AAA for Cisco TrustSec requires RADIUS and is supported only by the Cisco Identity Services • Engine (Cisco ISE), Release1.2 with patches or more recent, and Cisco Secure Access Control System (Cisco ACS), version 5.1 or more recent.

  • Page 192: Catalyst 3850 And Catalyst 3650 Switches, And Wlc 5700 Wireless Lan Controllers

    SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled. Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there • are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.

  • Page 193: Notes For Catalyst 4500 Series Switches

    TrustSec SGT and SGACL Configuration Guidelines and Limitations The following guidelines and limitations apply to configuring Cisco TrustSec SGT and SGACL on Catalyst WS-X45-SUP7-E/SUP7L-E and WS-C4500X-32 switches: Propagation of Security Group Tag in the CMD header is supported on the supervisor engine uplink ports, the WS-X47xx series line cards, and the WS-X4640-CSFP-E linecard.
  • Page 194 Appendix B Notes for Catalyst 4500 Series Switches TrustSec SGT and SGACL Configuration Guidelines and Limitations IP-SGT mappings are not VRF-aware. The TTL configuration is not supported for SGACL. The TCP flags supported by SGACL is similar to what the other ACLs support.

  • Page 195: Notes For Catalyst 6500 Series Switches

    Revised: April 26, 2013, OL-22192-01 TrustSec Supported Hardware TrustSec-capable supervisors and Line Cards are listed in tables 3 and 4 of “Cisco Catalyst 6500 Series with Supervisor Engine 2T: Enabling Cisco TrustSec with Investment Protection,” at the following URL: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-658388.html The Catalyst 6500 Series switches that are not TrustSec hardware-capable implement TrustSec Network Device Admission Control (NDAC) without SAP or 802.1AE link encryption.

  • Page 196: Sample Configurations

    To collect only SGACL dropped packets, use the [no] cts role-based {ip | ipv6} flow monitor dropped global configuration command. For Flexible NetFlow overview and configuration information, see the following documents: Flexible NetFlow Configuration Guide, Cisco IOS Release 15S http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-s/fnf-15-s-book.html Catalyst 6500 Release 15.0SY Software Configuration Guide http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/15_0_sy_...

  • Page 197: Configuration Excerpt Of An Ipv6 Flow Monitor

    The Flow Monitor can be attached per interface, configured to filter for combinations of ingress (input), egress (output), multicast, unicast, or Layer2 switched traffic. For IPv6, flow monitor is supported only for routed traffic in Cisco IOS Release 12.2(50)SY. router(config)# interface TenGigabitEthernet 8/1 router(config-if)# ip address 192.1.1.1 255.255.255.0...

  • Page 198: Trustsec System Error Messages

    TrustSec System Error Messages Cisco TrustSec system error messages are listed in the Cisco Catalyst 6500 Series Switches Error and System Messages guides, found at the following URL: http://www.cisco.com/en/US/products/hw/switches/ps708/products_system_message_guides_list.html The Error Message Decoder Tool is at the following URL: http://www.cisco.com/en/US/support/tsd_most_requested_tools.html...

  • Page 199: Prerequisites For Fips Configuration

    Delete all SSH server RSA1 key-pairs. Guidelines and Limitations for FIPS • The RADIUS keywrap feature works only with Cisco Identity Services Engine 1.1 or Cisco ACS Release 5.2 or later releases. • HTTPS/TLS access to the module is allowed in FIPS approved mode of operation, using SSLv3.1/TLSv1.0 and a FIPS approved algorithm.
  • Page 200 Appendix C Notes for Catalyst 6500 Series Switches FIPS Support Cisco TrustSec Configuration Guide OL-22192-01...
  • Page 201 Identity-to-port mapping. A method for a switch to define the identity on a port to which an endpoint is connected, and to use this identity to look up a particular SGT value in the Cisco Secure ACS server. Cisco TrustSec Configuration Guide...
  • Page 202 Non-seed devices do not have direct IP connectivity to the Cisco Secure ACS and require other devices Non-seed Device to authenticate and authorize them onto the TrustSec network, such as a seed device or a device already enrolled in the TrustSec network.
  • Page 203 Glossary In TrustSec, a network device without a direct connection to the Cisco Secure ACS which is requesting Supplicant TrustSec authentication from an authenticated TrustSec network device (an authenticator) NDAC is the process by which the supplicant device is admitted into the TrustSec network.
  • Page 204 Glossary Cisco TrustSec Configuration Guide GL-4 OL-22192-01...
  • Page 205 I N D E X Cisco TrustSec caching Numerics clearing 4-10 802.1AE enabling See Cisco TrustSec, IEEE 802.1AE support Cisco TrustSec device credentials 802.1X description 802.1X Host Modes Cisco TrustSec device identities description Cisco TrustSec environment data download 1-11 Cisco TrustSec...
  • Page 206 Index EAP-FAST in Cisco TrustSec authentication MACSec Error Messages See Cisco TrustSec, link security management interfaces default settings 3-12, 3-17 Media Access Control Security See Cisco TrustSec, link security mgmt0 interfaces Fibre Channel interfaces default settings 3-12, 3-17 default settings...
  • Page 207 IP addresses 3-12 Subnet to SGT mapping 3-12 WebAuth configuration process web-based authentication configuring configuring peer connections default passwords description 1-13 enabling reconcile period retry period source IP address Syslog Messages System Error Messages Cisco TrustSec Configuration Guide IN-3 OL-22192-01...
  • Page 208 Index Cisco TrustSec Configuration Guide IN-4 OL-22192-01...

Table of Contents