1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. TrustSec
  6. Configuration manual

Device Identities; Device Credentials; User Credentials - Cisco TrustSec Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Information about Cisco TrustSec Architecture
At the end of the Cisco TrustSec authentication process, both the authenticator and the supplicant know
the following:

Device Identities

Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you assign a
name (device ID) to each Cisco TrustSec-capable switch to identify it uniquely in the Cisco TrustSec
domain. This device ID is used for the following:

Device Credentials

Cisco TrustSec supports password-based credentials. Cisco TrustSec authenticates the supplicants
through passwords and uses MSCHAPv2 to provide mutual authentication.
The authentication server uses these credentials to mutually authenticate the supplicant during the
EAP-FAST phase 0 (provisioning) exchange where a PAC is provisioned in the supplicant. Cisco
TrustSec does not perform the EAP-FAST phase 0 exchange again until the PAC expires, and only
performs EAP-FAST phase 1 and phase 2 exchanges for future link bringups. The EAP-FAST phase 1
exchange uses the PAC to mutually authenticate the authentication server and the supplicant. Cisco
TrustSec uses the device credentials only during the PAC provisioning (or reprovisioning) steps.
When the supplicant first joins the Cisco TrustSec domain, the authentication server authenticates the
supplicant and pushes a shared key and encrypted token to the supplicant with the PAC. The
authentication server and the supplicant use this key and token for mutual authentication in all future
EAP-FAST phase 0 exchanges.

User Credentials

Cisco TrustSec does not require a specific type of user credential for endpoint devices. You can choose
any type of user authentication method that is supported by the authentication server, and use the
corresponding credentials. For example, the Cisco Secure Access Control System (ACS) version 5.1
supports MSCHAPv2, generic token card (GTC), or RSA one-time password (OTP).
Cisco TrustSec Configuration Guide
1-6
Device ID of the peer
Cisco TrustSec capability information of the peer
Key used for the SAP
Looking up the authorization policy
Looking up passwords in the databases during authentication
Chapter 1
Cisco TrustSec Overview
OL-22192-01
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco TrustSec

Related Content for Cisco TrustSec

Table of Contents