Table of Contents
Advertisement
Chapter 1
Cisco TrustSec Overview
This section includes the following topics:
•
•
•
Cisco TrustSec Enhancements to EAP-FAST
The implementation of EAP-FAST for Cisco TrustSec has the following enhancements:
•
•
802.1X Role Selection
In 802.1X, the authenticator must have IP connectivity with the authentication server because it has to
relay the authentication exchange between the supplicant and the authenticator using RADIUS over
UDP/IP. When an endpoint device, such as a PC, connects to a network, it is obvious that it should
function as a supplicant. However, in the case of a Cisco TrustSec connection between two network
devices, the 802.1X role of each network device might not be immediately apparent to the other network
device.
Instead of requiring manual configuration of the authenticator and supplicant roles for two adjacent
switches, Cisco TrustSec runs a role-selection algorithm to automatically determine which switch
functions as the authenticator and which functions as the supplicant. The role-selection algorithm
assigns the authenticator role to the switch that has IP reachability to a RADIUS server. Both switches
start both the authenticator and supplicant state machines. When a switch detects that its peer has access
to a RADIUS server, it terminates its own authenticator state machine and assumes the role of the
supplicant. If both switches have access to a RADIUS server, the first switch to receive a response from
the RADIUS server becomes the authenticator and the other switch becomes the supplicant.
Cisco TrustSec Authentication Summary
By the end of the Cisco TrustSec authentication process, the authentication server has performed the
following actions:
•
•
OL-22192-01
Cisco TrustSec Enhancements to EAP-FAST, page 1-5
802.1X Role Selection, page 1-5
Cisco TrustSec Authentication Summary, page 1-5
Authenticate the authenticator—Securely determines the identity of the authenticator by requiring
the authenticator to use its PAC to derive the shared key between itself and the authentication server.
This feature also prevents you from configuring RADIUS shared keys on the authentication server
for every possible IP address that can be used by the authenticator.
Notify each device of the identity of its peer—By the end of the authentication exchange, the
authentication server has identified both the supplicant and the authenticator. The authentication
server conveys the identity of the authenticator, and whether the authenticator is Cisco
TrustSec-capable, to the supplicant by using additional type-length-value parameters (TLVs) in the
protected EAP-FAST termination. The authentication server also conveys the identity of the
supplicant, and whether the supplicant is Cisco TrustSec-capable, to the authenticator by using
RADIUS attributes in the Access- Accept message. Because each device knows the identity of its
peer, it can send additional RADIUS Access-Requests to the authentication server to acquire the
policy to be applied on the link.
Verified the identities of the supplicant and the authenticator.
Authenticated the user if the supplicant is an endpoint device.
Information about Cisco TrustSec Architecture
Cisco TrustSec Configuration Guide
1-5
Hide quick links:
Advertisement
Table of Contents
