Cisco Catalyst 4500 Series Configuration Manual page 963

Chapter 43 Configuring MACsec Encryption
Table 43-2 Cisco TrustSec Features
Cisco TrustSec Feature
Network Device Admission Control (NDAC) NDAC is an authentication process by which each network device in the
Security Association Protocol (SAP)
Security Group Tag (SGT)
SGT is not supported in this release.
Note
SGT Exchange Protocol (SXP), including
SXPv2
When both ends of a link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange
occurs between the supplicant and the authenticator to negotiate a cipher suite, exchange security
parameters, and manage keys. Successful completion of these tasks results in the establishment of a
security association (SA).
Depending on your software version and licensing and link hardware support, SAP negotiation can use
one of these modes of operation:
•
•
•
•
Cisco TrustSec uses AES-128 GCM and GMAC and is compliant with the 802.1AE standard. GCM is
not supported on switches running the NPE or the LAN Base image.
Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network device
to network device links, that is, switch-to-switch links. It is not supported on:
•
•
•
The switch also does not support security group ACLs.
You must set the Cisco TrustSec credentials to create the Cisco TrustSec network.
You can configure Cisco TrustSec link layer security in 802.1X mode or manual mode.
OL-25340-01
Description
TrustSec domain can verify the credentials and trustworthiness of its peer
device. NDAC uses an authentication framework based on IEEE 802.1X
port-based authentication and uses Extensible Authentication Protocol
Flexible Authentication via Secure Tunnel (EAP-FAST) as its EAP method.
Authentication and authorization by NDAC results in Security Association
Protocol negotiation for 802.1AE encryption.
SAP is a Cisco proprietary key exchange protocol between switches. After
NDAC switch-to-switch authentication, SAP automatically negotiates keys
and the cipher suite for subsequent switch-to-switch MACsec encryption
between TrustSec peers. The protocol description is available under a
nondisclosure agreement.
An SGT is a 16-bit single label showing the security classification of a source
in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.
With SXP, devices that are not TrustSec-hardware capable can receive SGT
attributes for authenticated users or devices from the Cisco Access Control
System (ACS). The devices then forward the source IP-to-SGT binding to a
TrustSec-hardware capable device for tagging and security group ACL
(SGACL) enforcement.
Galois Counter Mode (GCM)—authentication and encryption
GCM authentication (GMAC)— GCM authentication, no encryption
No Encapsulation—no encapsulation (clear text)
Null—encapsulation, no authentication or encryption
Host facing access ports (these ports support MKA MACsec)
Switch virtual interfaces (SVIs)
SPAN destination ports
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Understanding Cisco TrustSec MACsec
43-9