Cisco TrustSec Network Device Admission Control

Cisco TrustSec Network Device Admission Control
Cisco TrustSec Network Device Admission
Control
The Cisco TrustSec Network Device Admission Control (NDAC) feature creates an independent layer of
trust between Cisco TrustSec devices to prohibit rogue devices from being allowed on the network.
• Information About Cisco TrustSec Network Device Admission Control, page 1
• How to Configure Cisco TrustSec Network Device Admission Control, page 1
• Configuration Examples for Cisco TrustSec Network Device Admission Control, page 6
• Additional References, page 6
• Feature Information for Cisco TrustSec Network Device Admission Control, page 7
Information About Cisco TrustSec Network Device Admission
Control
Cisco TrustSec NDAC Authentication for an Uplink Interface
Cisco TrustSec NDAC authentication with 802.1X must be enabled on each uplink interface that connects to
another Cisco TrustSec device.
How to Configure Cisco TrustSec Network Device Admission
Control
Configuring AAA for Cisco TrustSec NDAC Devices
Configure authentication, authorization, and accounting (AAA) on both seed and non-seed Network Device
Admission Control (NDAC) devices.
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
1
Cisco TrustSec Network Device Admission Control
Configuring AAA for Cisco TrustSec NDAC Devices
Configuring AAA on Cisco TrustSec Seed Devices
SUMMARY STEPS
1. enable
2. cts credentials id cts-id password cts-password
3. configure terminal
4. aaa new-model
5. aaa session-id common
6. radius server radius-server-name
7. address ipv4 {hostname | ipv4address} [acct-port port | alias {hostname | ipv4address} | auth-port port
[acct-port port]]
8. pac key encryption-key
9. exit
10. radius-server vsa send authentication
11. aaa group server radius group-name
12. server name radius-server-name
13. exit
14. aaa authentication dot1x default group group-name
15. aaa authorization network default group group-name
16. aaa authorization network list-name group group-name
17. cts authorization list list-name
18. exit
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Device> enable
Step 2
cts credentials id cts-id password cts-password
Specifies the Cisco TrustSec ID and password of the
network device.
Example:
Device# cts credentials id CTS-One password
cisco123
Step 3
configure terminal
Example:
Device# configure terminal
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
2
Enters global configuration mode.
Cisco TrustSec Network Device Admission Control
Configuring AAA for Cisco TrustSec NDAC Devices
Step 4
Command or Action
Purpose
aaa new-model
Enables new RADIUS and AAA access control commands
and functions and disables old commands.
Example:
Device(config)# aaa new-model
Step 5
Ensures that the same session identification (ID)
information is used for each AAA accounting service type
within a given call.
aaa session-id common
Example:
Device(config)# aaa session-id common
Step 6
radius server radius-server-name
Specifies the name for the RADIUS server configuration
for Protected Access Credential (PAC) provisioning and
enters RADIUS server configuration mode.
Example:
Device(config)# radius server cts-aaa-server
Step 7
address ipv4 {hostname | ipv4address} [acct-port port Configures the IPv4 address for the RADIUS server
accounting and authentication parameters.
| alias {hostname | ipv4address} | auth-port port
[acct-port port]]
Example:
Device(config-radius-server)# address ipv4
192.0.2.1 auth-port 1812 acct-port 1813
Step 8
pac key encryption-key
Specifies the PAC encryption key.
Example:
Device(config-radius-server)# pac key cisco123
Step 9
Exits RADIUS server configuration mode and enters global
configuration mode.
exit
Example:
Device(config-radius-server)# exit
Step 10
Configures the network access server (NAS) to recognize
and use only authentication vendor-specific attributes
(VSAs).
radius-server vsa send authentication
Example:
Device(config)# radius-server vsa send
authentication
Step 11
aaa group server radius group-name
Groups different RADIUS server hosts into distinct lists
and distinct methods and enters RADIUS group server
configuration mode.
Example:
Device(config)# aaa group server radius cts_sg
Step 12
server name radius-server-name
Specifies a RADIUS server.
Example:
Device(config-sg-radius)# server name
cts-aaa-server
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
3
Cisco TrustSec Network Device Admission Control
Configuring AAA for Cisco TrustSec NDAC Devices
Step 13
Command or Action
Purpose
exit
Exits RADIUS group server configuration mode and enters
global configuration mode.
Example:
Device(config-sg-radius)# exit
Step 14
aaa authentication dot1x default group group-name
Specifies the RADIUS server to use for authentication on
interfaces running IEEE 802.1X.
Example:
Device(config)# aaa authentication dot1x default
group cts_sg
Step 15
aaa authorization network default group group-name Specifies that the RADIUS server method is the default
method for authorization into a network.
Example:
Device(config)# aaa authorization network
default group cts_sg
Step 16
aaa authorization network list-name group group-name Specifies that the RADIUS server method is part of the list
of authorization methods to use for authorization into a
network.
Example:
Device(config)# aaa authorization network
cts-mlist group cts_sg
Step 17
cts authorization list list-name
Specifies a list of AAA servers for the Cisco TrustSec seed
device.
Example:
Device(config)# cts authorization list cts-mlist
Step 18
Exits global configuration mode and returns to privileged
EXEC mode.
exit
Example:
Device(config)# exit
Configuring AAA on Cisco TrustSec Non-seed Devices
SUMMARY STEPS
1. enable
2. cts credentials id cts-id password cts-password
3. configure terminal
4. aaa new-model
5. aaa session-id common
6. radius-server vsa send authentication
7. exit
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
4
Cisco TrustSec Network Device Admission Control
Configuring AAA for Cisco TrustSec NDAC Devices
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Device> enable
Step 2
cts credentials id cts-id password cts-password
Specifies the Cisco TrustSec ID and password of the network
device.
Example:
Device# cts credentials id CTS-One password
cisco123
Step 3
configure terminal
Enters global configuration mode.
Example:
Device# configure terminal
Step 4
aaa new-model
Enables new RADIUS and AAA access control commands
and functions and disables old commands.
Example:
Device(config)# aaa new-model
Step 5
aaa session-id common
Example:
Ensures that the same session identification (ID) information
is used for each AAA accounting service type within a given
call.
Device(config)# aaa session-id common
Step 6
radius-server vsa send authentication
Configures the network access server (NAS) to recognize and
use only authentication vendor-specific attributes (VSAs).
Example:
Device(config)# radius-server vsa send
authentication
Step 7
exit
Exits global configuration mode and returns to privileged
EXEC mode.
Example:
Device(config)# exit
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
5
Cisco TrustSec Network Device Admission Control
Configuration Examples for Cisco TrustSec Network Device Admission Control
Configuration Examples for Cisco TrustSec Network Device
Admission Control
Example: Configuring AAA for Cisco TrustSec NAC Devices
Example: Configuring AAA on Cisco TrustSec Seed Devices
Device> enable
Device# cts credentials id CTS-One password cisco123
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa session-id common
Device(config)# radius server cts-aaa-server
Device(config-radius-server)# address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
Device(config-radius-server)# pac key cisco123
Device(config-radius-server)# exit
Device(config)# radius-server vsa send authentication
Device(config)# aaa group server radius cts_sg
Device(config-sg-radius)# server name cts-aaa-server
Device(config-sg-radius)# exit
Device(config)# aaa authentication dot1x default group cts_sg
Device(config)# aaa authorization network default group cts_sg
Device(config)# aaa authorization network cts-mlist group cts_sg
Device(config)# cts authorization list cts-mlist
Device(config)# exit
Example: Configuring AAA on Cisco TrustSec Non-seed Devices
Device> enable
Device# cts credentials id CTS-One password cisco123
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa session-id common
Device(config)# radius-server vsa send authentication
Device(config)# exit
Additional References
Related Documents
Related Topic
Document Title
Cisco IOS commands
Cisco IOS Master Commands List, All Releases
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
6
Cisco TrustSec Network Device Admission Control
Feature Information for Cisco TrustSec Network Device Admission Control
Related Topic
Security commands
Document Title
• Cisco IOS Security Command Reference
Commands A to C
• Cisco IOS Security Command Reference
Commands D to L
• Cisco IOS Security Command Reference
Commands M to R
• Cisco IOS Security Command Reference
Commands S to Z
Cisco TrustSec and SXP configuration
Cisco TrustSec Switch Configuration Guide
IPsec configuration
Configuring Security for VPNs with IPsec
IKEv2 configuration
Configuring Internet Key Exchange Version 2
(IKEv2) and FlexVPN Site-to-Site
Cisco Secure Access Control Server
Configuration Guide for the Cisco Secure ACS
Technical Assistance
Description
Link
The Cisco Support and Documentation website
http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Feature Information for Cisco TrustSec Network Device
Admission Control
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
7
Cisco TrustSec Network Device Admission Control
Feature Information for Cisco TrustSec Network Device Admission Control
Table 1: Feature Information for Cisco TrustSec Network Device Admission Control
Feature Name
Releases
Feature Information
Cisco TrustSec Network Device
Admission Control
Cisco IOS 12.2(33)SXI
The Cisco TrustSec Network
Device Admission Control
(NDAC) feature creates an
independent layer of trust between
Cisco TrustSec devices to prohibit
rogue devices from being allowed
on the network.
Cisco IOS 15.1(1)SY
In Cisco IOS XE Release 3.6E, this
feature is supported on Cisco
Catalyst 3850 Series Switches.
The following commands were
introduced or modified: cts dot1x,
propagate sgt
(config-if-cts-dot1x) , sap
mode-list, timer reauthentication.
Cisco TrustSec Configuration Guide, Cisco IOS Release 15SY
8
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising