1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. TrustSec
  6. Configuration manual

Authentication; Cisco Trustsec And Authentication - Cisco TrustSec Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Chapter 1
Cisco TrustSec Overview
Cisco TrustSec uses ingress tagging and egress filtering to enforce access control policy in a scalable
manner. Packets entering the domain are tagged with a security group tag (SGT) containing the assigned
security group number of the source device. This packet classification is maintained along the data path
within the Cisco TrustSec domain for the purpose of applying security and other policy criteria. The final
Cisco TrustSec device on the data path, either the endpoint or network egress point, enforces an access
control policy based on the security group of the Cisco TrustSec source device and the security group of
the final Cisco TrustSec device. Unlike traditional access control lists based on network addresses, Cisco
TrustSec access control policies are a form of role-based access control lists (RBACLs) called security
group access control lists (SGACLs).
Ingress refers to packets entering the first Cisco TrustSec-capable device encountered by a packet on its
Note
path to the destination and egress refers to packets leaving the last Cisco TrustSec-capable device on the
path.

Authentication

This section includes the following topics:

Cisco TrustSec and Authentication

Using Network Device Admission Control (NDAC), Cisco TrustSec authenticates a device before
allowing it to join the network. NDAC uses 802.1X authentication with Extensible Authentication
Protocol Flexible Authentication via Secure Tunnel (EAP-FAST) as the Extensible Authentication
Protocol (EAP) method to perform the authentication. EAP-FAST conversations provide for other EAP
method exchanges inside the EAP-FAST tunnel using chains. Administrators can use traditional
user-authentication methods, such as Microsoft Challenge Handshake Authentication Protocol Version
2 (MSCHAPv2), while still having security provided by the EAP-FAST tunnel. During the EAP-FAST
exchange, the authentication server creates and delivers to the supplicant a unique protected access
credential (PAC) that contains a shared key and an encrypted token to be used for future secure
communications with the authentication server.
methods as used in Cisco TrustSec.
OL-22192-01
Cisco TrustSec and Authentication, page 1-3
Device Identities, page 1-6
Device Credentials, page 1-6
User Credentials, page 1-6
Information about Cisco TrustSec Architecture
Figure 1-2
shows the EAP-FAST tunnel and inner
Cisco TrustSec Configuration Guide
1-3
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco TrustSec

Related Content for Cisco TrustSec

Table of Contents