Cisco TrustSec Configuration Manual

Text of Cisco TrustSec User Guide:

• Cisco TrustSec, Glossary GL-3 Cisco TrustSec Configuration Guide OL-22192-01 Supplicant In TrustSec, a network device without a direct connection to the Cisco Secure ACS which is requesting TrustSec authentication from an authenticated TrustSec network device (an authenticator) NDAC is the process by which the supplicant device is admitted into the TrustSec network. SXP SGT Exchange Protocol. Allows devices with SXP support to build a source IP-to-SGT binding table, and then transfers the table to TrustSec hardware-capable devices through an out-of-bound TCP connection using MD5-based authentication. T TrustSec Trusted Security. Same as Cisco Tr

• Cisco TrustSec, IN-1 Cisco TrustSec Configuration Guide OL-22192-01 INDEX Numerics 802.1AE See Cisco TrustSec, IEEE 802.1AE support 802.1X 6-2 802.1X Host Modes 6-5 C Cisco TrustSec architecture 1-1 authorization 1-10 configuring 4-10 configuring NDAC 1-3 connection caching 4-9 default values 2-3 enabling 3-2, 3-3 environment data download 1-11 guidelines and limitations 2-3 IEEE 802.1AE support 1-12 link security 1-12 manual mode 3-6 permissions matrix 1-7 policy acquisition 1-10 RADIUS relay

• Cisco TrustSec, 1-17 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 1 Cisco TrustSec Overview Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network VRF-Aware SXP The SXP implementation of Virtual Routing and Forwarding (VRF) binds an SXP connection with a specific VRF. It is assumed that the network topology is correctly configured for Layer 2 or Layer 3 VPNs, with all VRFs configured before enabling Cisco TrustSec. SXP VRF support can be summarized as follows: • Only one SXP connection can be bound to one VRF. • Different VRFs may have overlapping SXP peer or source IP addresses. • IP–SGT mappings learned (added or deleted) in one VRF can be updat

• Cisco TrustSec, 7-74 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary show cts show cts To display states and statistics related to Cisco TrustSec, use the show cts Privileged EXEC command. show cts [ authorization entries | credentials | environment-data interface {type slot/port | vlan vlan_number | keystore | macsec counters interface type slot/port [delta] | pacs | policy layer3 [ipv4 | ipv6] | policy peer peer_id | provisioning | role-based counters . . . | role-based flow . . . | role-based permissions . . . | role-based sgt-map . . . | server-list | sxp connections . . . | s

• 3-6 Cisco TrustSec Configuration Guide OL-22192-02 Chapter 3 Configuring Identities, Connections, and SGTs Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port Configuration Examples for 802.1X on Uplink Port Catalyst 6500 Cisco TrustSec authentication in 802.1X mode on an interface using GCM as the preferred SAP mode; the authentication server did not provide

• Cisco TrustSec, 7-15 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary timer reauthentication (cts interface) timer reauthentication (cts interface) Use the timer reauthentication command in CTS interface configuration mode to set the reauthentication timer. Use the no form of the command to disable the timer. [no] timer reauthentication seconds Syntax Description Defaults None Command Modes CTS interface configuration (config-if-cts-dot1x) Supported User Roles Administrator Command History Usage Guidelines This command sets the TrustSec reauthentication timer. When this timer expires, the device reauthenticates to the CTS network (NDAC). Examples The followin

• Cisco TrustSec, 3-11 Cisco TrustSec Configuration Guide OL-22192-02 Chapter 3 Configuring Identities, Connections, and SGTs Manually Configuring a Device SGT Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: NOT APPLICABLE SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Expiration : N/A Cache applied to link : NONE Statistics: authc success: 0 authc reject: 0 authc failure: 0 authc

• Cisco TrustSec, 7-36 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary cts server Command Modes Global configuration (config) Supported User Roles Administrator Command History Usage Guidelines Use the key-wrap keyword when operating the switch in FIPS mode. Information on RADIUS server load balancing is available at the following URL: http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html Examples The following example shows how to configure server settings and how to display the Cisco Trust

• Cisco TrustSec, 7-65 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary policy (cts manual interface configuration submode) authz success: 5 authz fail: 0 port auth fail: 0 Ingress: control frame bypassed: 0 sap frame bypassed: 0 esp packets: 0 unknown sa: 0 invalid sa: 0 inverse binding failed: 0 auth failed: 0 replay error: 0

• Cisco TrustSec, 7-19 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary cts policy layer3 cts policy layer3 To specify traffic and exception policies for CTS Layer 3 Transport on a system when a Cisco Secure ACS is not available, use the cts policy layer3 global configuration command. [no] cts policy layer3 ipv4 {[exception access_list] | [traffic access_list ]} [no] cts policy layer3 ipv6 {[exception access_list] | [traffic access_list]} Syntax Description Defaults No policy is the default. Command Modes Global configuration (config) Supported User Roles Administrator Command H

• Cisco TrustSec, 7-60 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary match flow cts match flow cts To add the Cisco TrustSec flow objects to a Flexible NetFlow flow record, use the match flow cts record configuration command. [no] match flow cts destination group-tag [no] match flow cts source group-tag Syntax Description Defaults There are no defaults for this command. Command Modes Flexible NetFlow record configuration (config-flow-record) Supported User Roles Administrator Command History Usage Guidelines Flexible NetFlow can account for packets dropped by SGACL enforcement when SGT a

• Cisco TrustSec, 4-8 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 4 Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport Configuring Cisco TrustSec Reflector for Cisco TrustSec-Incapable Switching Modules • Traffic and exception policies can be downloaded from the authentication server (if supported by your Cisco IOS Release) or manually configured on the device. The policies will be applied based on these rules: – If a traffic policy or an exception policy is downloaded from the authentication server, it will take precedence over any manually configured traffic or exception policy. – If the authentication server is not available but both a traffic policy and an

• 7-11 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary cts credentials Examples The following example configures himalaya and cisco as the CTS device ID and password: Router# cts credentials id himalaya password cisco CTS device ID and password have been inserted in the local keystore. Please make sure that the same ID and p

• Cisco TrustSec, 7-33 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary cts role-based The vlan-ids argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges. Separate multiple entries with a hyphen “-” or a comma “,”. The keyword all is equivalent to the full range of VLANs supported by the platform (For example, the Catalyst 6500 VLAN range is 1–4094). Issuing multiple commands has an additive effect. SGACLs are enforced on all the VLANs of all the lists specified. The keyword all is not preserved in the nonvo

• 7-96 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary show cts server-list show cts server-list To display the list of RADIUS servers available to TrustSec seed and nonseed devices, use the show cts server-list command in EXEC or privileged EXEC mode. show cts server-list Syntax Description This command has no commands or keywor

• Cisco TrustSec, CHAPTER 7-1 Cisco TrustSec Configuration Guide OL-22192-01 7 Cisco TrustSec Command Summary Revised: April 26, 2013, OL-22192-01 Cisco TrustSec Privileged EXEC Commands cts change-password Initiate password change with AAA server. cts credentials Inserts CTS device ID and password into the keystore. cts refresh Refresh environment, peer and RBACL policies. cts rekey CTS SAP rekey cts role-based policy trace TrustSec SGT and SGACL trace utility. Cisco TrustSec Global Configuration Commands cts authorization list Configures CTS global authorization configuration. cts cache

• Cisco TrustSec, 3-17 Cisco TrustSec Configuration Guide OL-22192-02 Chapter 3 Configuring Identities, Connections, and SGTs Manually Configuring IP-Address-to-SGT Mapping Default Settings There are no default settings. Configuring VLAN to SGT Mapping This section includes the following topics: • Task Flow for Configuring VLAN-SGT Mapping, page 3-17 Task Flow for Configuring VLAN-SGT Mapping • Create a VLAN on the TrustSec switch with the same VLAN_ID of the incoming VLAN. • Create an SVI for the VLAN on the TrustSec switch to

• Cisco TrustSec, 7-28 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary cts role-based policy trace Protocol : UDP Source IP Address : 10.2.2.1 Source Port : 177 Destination IP Address : 10.1.1.2 Destination Port : 80 Result: ========== Source SGT mapped to Int Gi 1/1 : 6 Destination IP: 10.1.1.2 SGT: 5 Source:CLI For <SGT, DGT> pair <6, 5> : Applicable RBACL : deny_v4_udp-10 10 deny udp The following example traces an HTTP over UDP packet from an IPv6 ho

• Cisco TrustSec, 7-90 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary show cts policy peer Related Commands Policy expires in (dd:hr:mm:sec) This peer policy is due to expire after this elapsed time Policy refreshes in 0:00:01:51 (dd:hr:mm:sec) This peer policy will be refreshed after this elapsed time Cache data applied = NONE This policy was not populated from cache, i.e., it was acquired from the ACS Output Field Explanation Command Description cts refresh Forces refresh of peer authorization policies. clear cts policy Clears the peer authorization policy of a T

• Cisco TrustSec, C-2 Cisco TrustSec Configuration Guide OL-22192-01 Appendix C Notes for Catalyst 6500 Series Switches Flexible NetFlow Support Flexible NetFlow can account for packets dropped by SGACL enforcement when SGT and DGT flow objects are configured in the flow record with the standard 5-tuple flow objects Use the flow record and flow exporter global configuration commands to configure a flow record, and a flow exporter, then use the flow monitor command to add them to a flow monitor. Use the show flow show co

• Cisco TrustSec, 1-6 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 1 Cisco TrustSec Overview Information about Cisco TrustSec Architecture At the end of the Cisco TrustSec authentication process, both the authenticator and the supplicant know the following: • Device ID of the peer • Cisco TrustSec capability information of the peer • Key used for the SAP Device Identities Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you assign a name (device ID) to each Cisco TrustSec-capable switch to identify it uniquely in the Cisco TrustSec domain. This device ID is used for the f

• 7-80 Cisco TrustSec Configuration Guide OL-22192-01 Chapter 7 Cisco TrustSec Command Summary show cts environment-data show cts environment-data To display the TrustSec environment data, use the show cts environment-data command in EXEC or privileged EXEC mode. show cts environment-data Syntax Description This command has no commands or keywords. Defaults None

• Cisco TrustSec, 5-5 Cisco TrustSec Switch Configuration Guide OL-22192-02 Chapter 5 Configuring SGACL Policies Manually Configuring SGACL Policies Configuration Examples for Manually Configuring SGACL Policies Catalyst 3850 IPv4 Manual SGACL policy: Switch(config)# ip access role allow_webtraff Switch(config-rb-acl)# 10 permit tcp dst eq 80 Switch(config-rb-acl)# 20 permit tcp dst eq 443 Switch(config-rb-acl)# 30 permit icmp Switch(config-rb-acl)# 40 deny ip Switch(config-rb-acl)# exit Switch(config)# cts role-based

Related Products and Documents (Switch):

Comparable Devices:

Similar Resources:

• Conrad Electronic 1687470 (4 pages) Bedienelemente1234561 USB-Port2 EIN (I)/AUS (0)3 Port LED4 Netz-LED5 DC-Stromeingang6 USB-SteckerBetrieb Vergewissern Sie sich, dass die max. mögliche Stromabgabe des Netzteils von den angeschlossenen Geräten nicht überschritten wird.• Schließen Sie den USB-Stecker (6) an einen freien USB-Anschluss des Computers an.• Schließen Sie ein USB-G …

• eao 84 Series (2 pages) – 2 –– 3 –– 4 –Sicherheitshinweise / Safety instructions Series 84 Series 84 / 02-11 / Rev. 00 / 700.084.02.4DEFRNLENSVITES� …

• Panasonic Switch-M24eGi (20 pages)  Thank you for purchasing our product. This document provides important information about safe and proper operations of this Switching Hub. Please read the "Important Safety Instructions" on pages from 3 to 5. Any problems or damage resulting from disassembly of this Switching Hub by customers are not covered by the warranty.I0818-11019 …

• National Instruments NI CVS-1450 Series (6 pages) Artisan Technology Group is your source for quality new and certied-used/pre-owned equipment• FAST SHIPPING AND DELIVERY• TENS OF THOUSANDS OF IN-STOCK ITEMS• EQUIPMENT DEMOS• HUNDREDS OF MANUFACTURERS SUPPORTED• LEASING/MONTHLY RENTALS• ITAR CERTIFIED SECURE ASSET SOLUTIONSSERVICE CENTER REPAIRSExperienced engineers and techni …

• HP HP 830 Series (530 pages) HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine Web-Based Configuration Guide Part number: 5998-3947 Software version: 3308P26 Document version: 6W101-20130628 …

• Provib Tech VS102 (16 pages) VS102 Electronic Vibration Switch ProvibTech Phone: +1-713-830-7601 Fax: +1-281-754-4972 [email protected] , www.provibtech.com 0 VS102 Electronic Vibration Switch User Manual Installation, operation, maintenance ProvibTech, Inc. 11011 Brooklet Drive, Suite 360, Houston, Texas 77099, USA VS102-USR-A-10 …

Comments, Questions and Opinions: