Configuring Credentials And Aaa For A Cisco Trustsec Seed Device - Cisco TrustSec Configuration Manual

Configuring Credentials and AAA for a Cisco TrustSec Seed Device

Configuring Credentials and AAA for a Cisco TrustSec Seed
Device
A Cisco TrustSec-capable device that is directly connected to the authentication server, or indirectly
connected but is the first device to begin the TrustSec domain, is called the seed device. Other Cisco
TrustSec network devices are non-seed devices.
To enable NDAC and AAA on the seed switch so that it can begin the Cisco TrustSec domain, perform
these steps:
Detailed Steps for Catalyst 6500, Catalyst 3K
Command
Step 1
Router# cts credentials id device-id
password password
Step 2
Router# configure terminal
Step 3
Router(config)# aaa new-model
Step 4
Router(config)# aaa authentication dot1x
default group radius
Step 5
Router(config)# aaa authorization
network mlist group radius
Step 6
Router(config)# cts authorization list
mlist
Step 7
Router(config)# aaa accounting dot1x
default start-stop group radius
Step 8
Router(config)# radius-server host
ip-addr auth-port 1812 acct-port 1813
pac key secret
Step 9
Router(config)# radius-server vsa send
authentication
Step 10
Router(config)# dot1x
system-auth-control
Step 11
Router(config)# exit
Cisco TrustSec Configuration Guide
3-2
Chapter 3 Configuring Identities, Connections, and SGTs
Purpose
Specifies the Cisco TrustSec device ID and password
for this switch to use when authenticating with other
Cisco TrustSec devices with EAP-FAST. The
device-id argument has a maximum length of 32
characters and is case sensitive.
Enters global configuration mode.
Enables AAA.
Specifies the 802.1X port-based authentication
method as RADIUS.
Configures the switch to use RADIUS authorization
for all network-related service requests.
mlist—The Cisco TrustSec AAA server group.
•
Specifies a Cisco TrustSec AAA server group.
Non-seed devices will obtain the server list from the
authenticator.
Enables 802.1X accounting using RADIUS.
Specifies the RADIUS authentication server host
address, service ports, and encryption key.
• ip-addr—The IP address of the authentication
server.
secret—The encryption key shared with the
•
authentication server.
Configures the switch to recognize and use
vendor-specific attributes (VSAs) in RADIUS
Access-Requests generated by the switch during the
authentication phase.
Globally enables 802.1X port-based authentication.
Exits configuration mode.
OL-22192-02