Configuring Endpoint Admission Control; Information About Endpoint Admission Control - Cisco TrustSec Configuration Manual

Configuring Endpoint Admission Control

Revised: May 28, 2010, OL-22192-01
This chapter contains the following sections:
•
•
•
•
•
•
•
•
•
•

Information About Endpoint Admission Control

In TrustSec networks, packets are filtered at the egress, not the ingress to the network. In TrustSec
endpoint authentication, a host accessing the TrustSec domain (endpoint IP address) is associated with
a Security Group Tag (SGT) at the access device through DHCP snooping and IP device tracking. The
access device transmits that association (binding) through SXP to TrustSec hardware-capable egress
devices, which maintain a continually updated table of Source IP to SGT bindings. Packets are filtered
on egress by the TrustSec hardware-capable devices by applying security group ACLS (SGACLs).
Endpoint Admission Control (EAC) access methods for authentication and authorization can include the
following:
•
•
•
All port-based authentication can be enabled with the authentication command. Each access method
must be configured individually per port. The flexible authentication sequence and failover features
permit the administrator to specify the failover and fallback sequence when multiple authentication
modes are configured and the active method fails. The 802.1X host mode determines how many endpoint
hosts can be attached per 802.1X port.
OL-22192-01
Information About Endpoint Admission Control
Basic EAC Configuration Sequence
802.1X Authentication Configuration
MAC Authentication Bypass Configuration
Web Authentication Proxy Configuration
Flexible Authentication Sequence and Failover Configuration
802.1X Host Modes
Pre-Authentication Open Access
DHCP Snooping and SGT Assignment
Cisco TrustSec Endpoint Access Control Feature Histories
802.1X port-based Authentication
MAC Authentication Bypass (MAB)
Web Authentication (WebAuth)
6
C H A P T E R
Cisco TrustSec Configuration Guide
6-1