Cisco TrustSec Configuration Manual Download Page 1

 

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706 
USA
http://www.cisco.com
Tel: 408 

526-4000

800 553-NETS (6387)

Fax: 408 

527-0883

Cisco TrustSec Switch Configuration 
Guide

For Cisco Catalyst Switches

Updated: October 2013

Text Part Number: OL-22192-02

Summary of Contents for TrustSec

Page 1: ... 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco TrustSec Switch Configuration Guide For Cisco Catalyst Switches Updated October 2013 Text Part Number OL 22192 02 ...

Page 2: ...ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco...

Page 3: ...ecurity Group 1 9 Determining the Destination Security Group 1 10 SGACL Enforcement on Routed and Switched Traffic 1 10 Authorization and Policy Acquisition 1 10 Environment Data Download 1 11 RADIUS Relay Functionality 1 12 Link Security 1 12 Using Cisco TrustSec Incapable Devices and Networks in a Cisco TrustSec Network 1 13 SXP for SGT Propagation Across Legacy Access Networks 1 13 Layer 3 SGT ...

Page 4: ...s for Non Seed Device 3 4 Enabling Cisco TrustSec Authentication and MACsec in 802 1X Mode on an Uplink Port 3 5 Configuration Examples for 802 1X on Uplink Port 3 6 Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port 3 6 Configuration Examples for Manual Mode and MACsec on an Uplink Port 3 8 Regenerating SAP Key on an Interface 3 9 Verifying the Cisco TrustSec Interface Configu...

Page 5: ...figuring the Default SXP Source IP Address 4 4 Changing the SXP Reconciliation Period 4 5 Changing the SXP Retry Period 4 5 Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP 4 5 Verifying the SXP Connections 4 6 Configuring Layer 3 SGT Transport Between Cisco TrustSec Domains 4 6 Configuring Cisco TrustSec Reflector for Cisco TrustSec Incapable Switching Modules ...

Page 6: ...ing Web Authentication Proxy Configuration 6 4 Flexible Authentication Sequence and Failover Configuration 6 5 802 1X Host Modes 6 5 Pre Authentication Open Access 6 5 DHCP Snooping and SGT Assignment 6 6 Verifying the SGT to Endpoint Host Binding 6 6 Cisco TrustSec Endpoint Access Control Feature Histories 6 7 Cisco TrustSec Command Summary 7 1 Notes for Catalyst 3000 and 2000 Series Switches and...

Page 7: ...ion SGT DGT C 2 Configuration Excerpt of an IPv4 Flow Monitor C 2 Configuration Excerpt of an IPv6 Flow Monitor C 3 Configuration Excerpt of the Global Flow Monitor IPv4 and IPv6 C 3 Configuration Excerpt of the Interface Monitor C 3 Flexible NetFlow Show Commands C 3 TrustSec System Error Messages C 4 FIPS Support C 4 TrustSec Considerations when Configuring FIPS C 4 Licensing Requirements for FI...

Page 8: ...Contents viii Cisco TrustSec Configuration Guide OL 22192 01 ...

Page 9: ...licies Provides Security Group ACL configuration procedures from the switch CLI Chapter 6 Configuring Endpoint Admission Control Provides 802 1X MAB and WebAuth configuration procedures for a TrustSec context Chapter 7 Cisco TrustSec Command Summary Provides a list of Cisco TrustSec CLI commands with brief descriptions Appendix A Notes for Catalyst 3000 and 2000 Series Switches and WLC 5700 Series...

Page 10: ... keywords and user entered text appear in bold font italic font Document titles new or emphasized terms and arguments for which you supply values are in italic font Elements in square brackets are optional x y z Required alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars string A nonqu...

Page 11: ...tting a service request and gathering additional information see What s New in Cisco Product Documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to What s New in Cisco Product Documentation which lists all new and revised Cisco technical documentation as an RSS feed and deliver content directly to your desktop using a reader application The RSS feeds are a free ...

Page 12: ...xii Cisco TrustSec Switch Configuration Guide OL 22192 02 Preface ...

Page 13: ...ta path The tag called the security group tag SGT allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic The Cisco TrustSec architecture incorporates three key components Authenticated networking infrastructure After the first device called the seed device authenticates with the authentication server to begin the Cisco TrustSec...

Page 14: ...icated device that is already part of the Cisco TrustSec domain and can authenticate new peer supplicants on behalf of the authentication server When the link between a supplicant and an authenticator first comes up the following sequence of events typically occurs 1 Authentication 802 1X The supplicant is authenticated by the authentication server with the authenticator acting as an intermediary ...

Page 15: ...s path to the destination and egress refers to packets leaving the last Cisco TrustSec capable device on the path Authentication This section includes the following topics Cisco TrustSec and Authentication page 1 3 Device Identities page 1 6 Device Credentials page 1 6 User Credentials page 1 6 Cisco TrustSec and Authentication Using Network Device Admission Control NDAC Cisco TrustSec authenticat...

Page 16: ...ec Authentication Switch 1 supplicant Switch 2 authenticator AS Ongoing key refresh SAP Key establishment SAP EAP FAST Tunnel establishment Policy acquisition Policy acquisition RADIUS Device authentication One time provisioning User authentication EAP FAST tunnel tear down Switch 1 Switch 2 Cisco TrustSec 187008 AS EAP FAST in 802 1X EAP FAST in RADIUS ...

Page 17: ...Requests to the authentication server to acquire the policy to be applied on the link 802 1X Role Selection In 802 1X the authenticator must have IP connectivity with the authentication server because it has to relay the authentication exchange between the supplicant and the authenticator using RADIUS over UDP IP When an endpoint device such as a PC connects to a network it is obvious that it shou...

Page 18: ...ing the EAP FAST phase 0 provisioning exchange where a PAC is provisioned in the supplicant Cisco TrustSec does not perform the EAP FAST phase 0 exchange again until the PAC expires and only performs EAP FAST phase 1 and phase 2 exchanges for future link bringups The EAP FAST phase 1 exchange uses the PAC to mutually authenticate the authentication server and the supplicant Cisco TrustSec uses the...

Page 19: ...at contains the security group number of the device The packet carries this SGT throughout the network within the Cisco TrustSec header The SGT is a single label that determines the privileges of the source within the entire enterprise Because the SGT contains the security group of the source the tag can be referred to as the source SGT The destination device is also assigned to a security group t...

Page 20: ...e number of access control entries ACEs configured is determined by the number of permissions specified resulting in a much smaller number of ACEs than in a traditional IP network The use of SGACLs in Cisco TrustSec typically results in a more efficient use of TCAM resources compared with traditional ACLs Ingress Tagging and Egress Enforcement Cisco TrustSec access control is implemented using ing...

Page 21: ... that SGT when it forwards it into the Cisco TrustSec domain The egress network device must determine the SGT of the packet in order to apply an SGACL The network device can determine the SGT for a packet in one of the following methods Obtain the source SGT during policy acquisition After the Cisco TrustSec authentication phase a network device acquires policy information from the authentication ...

Page 22: ...ACL enforcement can be applied to packets switched within a VLAN or forwarded to an SVI associated with a VLAN but enforcement must be enabled explicitly for each VLAN Authorization and Policy Acquisition After device authentication ends both the supplicant and authenticator obtain the security policy from the authentication server The two peers then perform link authorization and enforce the link...

Page 23: ...ented by the server list that the device acquires from the authentication server The device must refresh the Cisco TrustSec environment data before it expires The device can also cache the environment data and reuse it after a reboot if the data has not expired The device uses RADIUS to acquire the following environment data from the authentication server Server lists List of servers that the clie...

Page 24: ...e authentication server the authenticator forwards the message back to the supplicant encapsulated in an EAPOL frame Link Security When both sides of a link support 802 1AE Media Access Control Security MACsec a security association protocol SAP negotiation is performed An EAPOL Key exchange occurs between the supplicant and the authenticator to negotiate a cipher suite exchange security parameter...

Page 25: ...etween ingress access layer devices at the Cisco TrustSec domain edge and distribution layer devices within the Cisco TrustSec domain The access layer device performs Cisco TrustSec authentication of external source devices to determine the appropriate SGTs for ingress packets The access layer device learns the IP addresses of the source devices using IP device tracking and optionally DHCP snoopin...

Page 26: ...Sec hardware support also lacks Cisco TrustSec hardware support the second peer can have an SXP connection to a third peer continuing the propagation of the IP to SGT mapping information until a hardware capable peer is reached A device can be configured as an SXP listener for one SXP connection as an SXP speaker for another SXP connection A Cisco TrustSec device maintains connectivity with its SX...

Page 27: ...you can configure other protection methods such as IPsec Cisco TrustSec Reflector for Cisco TrustSec Incapable Switching Modules A Catalyst 6500 series switch in a Cisco TrustSec domain may contain any of these types of switching modules Cisco TrustSec capable Hardware supports insertion and propagation of SGT Cisco TrustSec aware Hardware does not support insertion and propagation of SGT but hard...

Page 28: ...le distribution switch The following conditions must be met before the Cisco TrustSec ingress reflector configuration is accepted The supervisor engine must be Cisco TrustSec capable Any Cisco TrustSec incapable DFCs must be powered down A Cisco TrustSec egress reflector must not be configured on the switch Before disabling the Cisco TrustSec ingress reflector you must remove power from the Cisco ...

Page 29: ...s and number of IP SGT mappings per VRF Layer 2 VRF Aware SXP and VRF Assignment VRF to Layer 2 VLANs assignments are specified with the cts role based l2 vrf vrf name vlan list global configuration command A VLAN is considered a Layer 2 VLAN as long as there is no switch virtual interface SVI with an IP address configured on the VLAN The VLAN becomes a Layer 3 VLAN once an IP address is configure...

Page 30: ...1 18 Cisco TrustSec Configuration Guide OL 22192 01 Chapter 1 Cisco TrustSec Overview Using Cisco TrustSec Incapable Devices and Networks in a Cisco TrustSec Network ...

Page 31: ...sco Identity Services Engine Cisco ISE The Cisco Secure Access Control System Cisco ACS Cisco IP Telephones Cisco routers Cisco network appliances etc White papers and presentations explaining the Cisco TrustSec Solution are at the following URL http www cisco com en US netsol ns1051 index html Cisco TrustSec Configuration How to Documents A series of How to configuration documents provides deploy...

Page 32: ...th AnyConnect NAM and Cisco ISE Failed Authentications Authorizations Supported Hardware and Software For a list of TrustSec supported hardware and software per TrustSec release see Release Notes for Cisco TrustSec General Availability Releases at the following URL http www cisco com en US docs switches lan trustsec release notes rn_cts_crossplat html See also the Release Notes Configuration Guide...

Page 33: ...e connection on that switch should configure the password to use the default password If the default password is not configured on a switch the connection on that switch should also not configure a password The configuration of the password option should be consistent across the deployment network Configure the retry open timer command to a different value on different switches Default Settings Ta...

Page 34: ...s Switches Release Notes Open and resolved caveats supported features Catalyst 4500 Series Switches Software Configuration Guides 802 1x configuration procedures Catalyst 6500 Series Switches Cisco Catalyst 6500 Series Switches Release Notes Open and resolved caveats supported features Catalyst 6500 Release 12 2SXH and Later Software Configuration Guide 802 1x configuration procedures Catalyst 650...

Page 35: ...des TrustSec configurations for Cisco ACS 5 1 and later Cisco Identity Services Engine TrustSec Configurations TrustSec is referred to as SGA or Security Group Access in ISE documentation Cisco IOS Document Title Cisco IOS Security Configuration Guide Securing User Services Release 12 2SX Securing User Services Configuration Guide Library Cisco IOS Release 15SY Platform Specific Document Title Tru...

Page 36: ...2 6 Cisco TrustSec Configuration Guide OL 22192 01 Chapter 2 Configuring the Cisco TrustSec Solution Additional Documentation ...

Page 37: ...ting SAP Key on an Interface page 3 9 Verifying the Cisco TrustSec Interface Configuration page 3 9 Manually Configuring a Device SGT page 3 11 Manually Configuring IP Address to SGT Mapping page 3 12 Manually Configuring a Device SGT page 3 11 Configuring Additional Authentication Server Related Parameters page 3 23 Automatically Configuring a New or Replacement Password with the Authentication S...

Page 38: ... Router config aaa authentication dot1x default group radius Specifies the 802 1X port based authentication method as RADIUS Step 5 Router config aaa authorization network mlist group radius Configures the switch to use RADIUS authorization for all network related service requests mlist The Cisco TrustSec AAA server group Step 6 Router config cts authorization list mlist Specifies a Cisco TrustSec...

Page 39: ...ter config dot1x system auth control Router config exit ConfiguringCredentialsandAAAforaCiscoTrustSecNon Seed Device To enable NDAC and AAA on a non seed switch so that it can join the Cisco TrustSec domain perform these steps Detailed Steps for Catalyst 6500 Command Purpose Step 1 Router cts credentials id device id password password Specifies the Cisco TrustSec device ID and password for this sw...

Page 40: ...default start stop group radius Router config radius server vsa send authentication Router config dot1x system auth control Router config exit Catalyst 3850 3650 example for access VLAN where propagate SGT is not the default switch config if switchport access vlan 222 switch config if switchport mode access switch config if authentication port control auto switch config if dot1x pae authenticator ...

Page 41: ...ode on the interface The interface will negotiate with the peer for a mutually acceptable mode List the acceptable modes in your order of preference Choices for mode are gcm Authentication and encryption gmac Authentication no encryption no encap No encapsulation null Encapsulation no authentication no encryption Note MACsec with SAP is not supported on the Catalyst 3K switches Note If the interfa...

Page 42: ...o shutdown Router config if exit Router config exit Configuring Cisco TrustSec and MACsec in Manual Mode on an Uplink Port You can manually configure Cisco TrustSec on an interface You must manually configure the interfaces on both ends of the connection No authentication occurs policies can be statically configured or dynamically downloaded from an authentication server by specifying the server s...

Page 43: ...ures Identity Port Mapping IPM to allow dynamic authorization policy download from authorization server based on the identity of the peer See the additional usage notes following this task peer name The Cisco TrustSec device ID for the peer device The peer name is case sensitive Note Ensure that you have configured the Cisco TrustSec credentials see Configuring Credentials and AAA for a Cisco Trus...

Page 44: ... policy static command If the policy dynamic command is configured the packet is not tagged If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT the tagging policy is as follows If the policy static command is configured without the trusted keyword the SGT is replaced with the SGT configured in the policy static command If the policy static command is configured with...

Page 45: ...ey refresh ordinarily occurs automatically triggered by combinations of network events and non configurable internal timers Detailed Steps for Catalyst 6500 Catalyst 3850 3650 Verifying the Cisco TrustSec Interface Configuration To view the TrustSec relate interface configuration perform this task Detailed Steps for Catalyst 6500 Example Show Cisco 6500 TrustSec interface configuration Router show...

Page 46: ...Expiration 23 32 40 PDT Jun 22 2009 Statistics authc success 1 authc reject 0 authc failure 0 authc no response 0 authc logoff 0 sap success 0 sap fail 0 authz success 1 authz fail 0 port auth fail 0 Dot1x Info for GigabitEthernet3 1 PAE SUPPLICANT StartPeriod 30 AuthPeriod 30 HeldPeriod 60 MaxStart 3 Credentials profile CTS ID profile EAP profile CTS EAP profile Dot1x Info for GigabitEthernet3 1 ...

Page 47: ...s an SGT to the device for packets originating from the device You can manually configure an SGT to be used if the authentication server is not accessible but an authentication server assigned SGT will take precedence over a manually assigned SGT To manually configure an SGT on the device perform this task Detailed Steps for Catalyst 6500 3850 3750 X Configuration Examples for Manually Configuring...

Page 48: ...nd In IPv4 networks SXPv3 and more recent versions can receive and parse subnet net_address prefix strings from SXPv3 peers Earlier SXP versions convert the subnet prefix into its set of host bindings before exporting them to an SXP listener peer For example the IPv4 subnet 198 1 1 0 29 is expanded as follows only 3 bits for host addresses Host addresses 198 1 1 1 to 198 1 1 7 tagged and propagate...

Page 49: ...figures the Subnet to SGT Mapping host count constraint The bindings argument specifies the maximum number of subnet IP hosts that can be bound to SGTs and exported to the SXP listener bindings 0 to 65 535 default is 0 no expansions performed Step 3 no cts role based sgt map ipv4_address prefix sgt number Example switch config cts role based sgt map 10 10 10 10 29 sgt 1234 IPv4 Specifies a subnet ...

Page 50: ...curity Group Tag to be bound to every host address in the specified subnet ipv6_address Specifies IPv6 network address in colon hexadecimal notation prefix 0 to128 Specifies the number of bits in the network address sgt number 0 to 65 535 Specifies the Security Group Tag SGT number Step 5 exit Example switch config exit switch Exits global configuration mode Step 6 show running config include sear...

Page 51: ...ig cts sxp default password 1syzygy1 Switch2 config cts sxp connection peer 1 1 1 1 password default mode local listener Step 3 On Switch2 verify that the SXP connection is operating Switch2 show cts sxp connections brief include 1 1 1 1 1 1 1 1 2 2 2 2 On 3 22 23 18 dd hr mm sec Step 4 Configure the subnetworks to be expanded on Switch1 Switch1 config cts sxp mapping network map 10000 Switch1 con...

Page 52: ...ts from a specified VLAN This simplifies the migration from legacy to TrustSec capable networks as follows Supports devices that are not TrustSec capable but are VLAN capable such as legacy switches wireless controllers access points VPNs etc Provides backward compatibility for topologies where VLANs and VLAN ACLs segment the network such as server segmentation in data centers The VLAN to SGT bind...

Page 53: ...h Verify that VLAN to SGT mapping occurs on the TrustSec switch Detailed Steps for Catalyst 6500 Command Purpose Step 1 config t Example TS_switchswitch config t TS_switchswitch config Enters global configuration mode Step 2 vlan vlan_id Example TS_switch config vlan 100 TS_switch config vlan Creates VLAN 100 on the TrustSec capable gateway switch and enters VLAN configuration submode Step 3 no sh...

Page 54: ...ngth Example TS switch config ip device tracking Enables IP device tracking When active hosts are detected the switch adds the following entries to an IP Device Tracking table IP address of host MAC address of host VLAN of the host The interface on which the switch detected the host The state of the host Active or Inactive The host added to the IP Device Tracking table is monitored with periodic A...

Page 55: ...cess_switch config t access_switch config vlan 100 access_switch config vlan no shutdown access_switch config vlan exit access_switch config Step 2 Configure the interface to the TrustSec switch as an access link Configurations for the endpoint access port are omitted in this example access_switch config interface gigabitEthernet 6 3 access_switch config if switchport access_switch config if switc...

Page 56: ...e Tracking Enabled IP Device Tracking Probe Count 3 IP Device Tracking Probe Interval 100 IP Address MAC Address Vlan Interface STATE Total number interfaces enabled 1 Vlan100 Step 7 Optional PING the default gateway from an endpoint in this example host IP Address 10 1 1 1 Verify that SGT 10 is being mapped to VLAN 100 hosts TS_switch show cts role based sgt map all Active IP SGT Bindings Informa...

Page 57: ...figuring L3IF to SGT Mapping Detailed steps Catalyst 6500 Verifying L3IF to SGT Mapping To display L3IF to SGT configuration information use the following show commands Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config cts role based sgt map interface type slot port security group name sgt number Router config cts role based sgt map interface gi...

Page 58: ... 1 1 1 4 INTERNAL 105 1 1 1 3 L3IF 111 1 1 1 4 INTERNAL IP SGT Active Bindings Summary Total number of CLI bindings 1 Total number of L3IF bindings 7 Total number of INTERNAL bindings 7 Total number of active bindings 15 Binding Source Priorities TrustSec resolves conflicts among IP SGT binding sources with a strict priority scheme For example an SGT may be applied to an interface with the policy ...

Page 59: ...us Load Balance ENABLED Method least outstanding Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config no cts server deadtime seconds Optional Specifies how long a server in the group should not be selected for service once it has been marked as dead The default is 20 seconds the range is 1 to 864000 Step 3 Router config no cts server load balance m...

Page 60: ...e time 60 mins deadtime 20 secs Installed list SL2 1E6E6AE57D4E2A9B320D1844C68BA293 3 server s Server 10 0 0 1 port 1812 A ID 04758B1F05D8C1439F27F9509E07CFB6 Status ALIVE auto test TRUE idle time 60 mins deadtime 20 secs Server 10 0 0 2 port 1812 A ID 04758B1F05D8C1439F27F9509E07CFB6 Status DEAD auto test TRUE idle time 60 mins deadtime 20 secs Automatically Configuring a New or Replacement Passw...

Page 61: ...ge 4 4 Changing the SXP Reconciliation Period page 4 5 Changing the SXP Retry Period page 4 5 Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP page 4 5 Verifying the SXP Connections page 4 6 Configuring Layer 3 SGT Transport Between Cisco TrustSec Domains page 4 6 Configuring Cisco TrustSec Reflector for Cisco TrustSec Incapable Switching Modules page 4 8 Config...

Page 62: ...tions To enable Cisco TrustSec SXP perform this task Detailed Steps for Catalyst 6500 Configuring an SXP Peer Connection You must configure the SXP peer connection on both of the devices One device is the speaker and the other is the listener When using password protection make sure to use the same password on both ends Note If a default SXP source IP address is not configured and you do not confi...

Page 63: ...uter config cts sxp connection peer peer ipv4 addr source src ipv4 addr password default none mode local peer speaker listener vrf vrf name Configures the SXP address connection The optional source keyword specifies the IPv4 address of the source device If no address is specified the connection will use the default source address if configured or the address of the port The password keyword specif...

Page 64: ... default source IP address for all new TCP connections where a source IP address is not specified There is no effect on existing TCP connections when you configure the default SXP source IP address To configure a default SXP source IP address perform this task Detailed Steps for Catalyst 6500 This example shows how to configure an SXP default source IP address Router configure terminal Router conf...

Page 65: ...e makes a new attempt to set up the connection after the SXP retry period timer expires The default value is 120 seconds Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted To change the SXP retry period perform this task Detailed Steps for Catalyst 6500 Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP When the cts sxp log ...

Page 66: ...On Conn Version 2 Connection mode SXP Listener Connection inst 1 TCP conn fd 1 TCP conn password default SXP password Duration since last state change 0 00 21 25 dd hr mm sec Total num of SXP Connections 1 Configuring Layer 3 SGT Transport Between Cisco TrustSec Domains You can configure Layer 3 SGT Transport on Cisco TrustSec gateway devices on the edges of a network domain that has no Cisco Trus...

Page 67: ...thentication server is not available for downloading the traffic policy acl name The name of a traditional interface ACL already configured on the device See the additional usage notes following this task Step 3 Router config no cts policy layer3 ipv4 ipv6 exception acl name Optional Specifies the fallback exception policy to be applied when the authentication server is not available for downloadi...

Page 68: ...encapsulation will be performed on the interface This example shows how to configure Layer 3 SGT Transport to a remote Cisco TrustSec domain Router configure terminal Router config ip access list extended traffic list Router config ext nacl permit ip any 10 1 1 0 0 0 0 255 Router config ext nacl exit Router config ip access list extended exception list Router config ext nacl permit ip any 10 2 2 0...

Page 69: ...mode enabled Note Before disabling the Cisco TrustSec egress reflector you must remove power from the Cisco TrustSec incapable switching modules Configuring Cisco TrustSec Caching Enabling Cisco TrustSec Caching For quick recovery from brief outages you can enable caching of authentication authorization and policy information for Cisco TrustSec connections Caching allows Cisco TrustSec devices to ...

Page 70: ...ache To clear the cache for Cisco TrustSec connections perform this task Detailed Steps for Catalyst 6500 This example shows how to clear the Cisco TrustSec cache Router clear cts cache Command Purpose Step 1 Router configure terminal Enters configuration mode Step 2 Router config no cts cache enable Enables caching of authentication authorization and environment data information to DRAM The defau...

Page 71: ...er Interface page 5 3 Enabling SGACL Policy Enforcement on VLANs page 5 3 Manually Configuring SGACL Policies page 5 4 Displaying SGACL Policies page 5 6 Refreshing the Downloaded SGACL Policies page 5 7 Cisco TrustSec SGACL Feature Histories For a list of supported TrustSec features per platform and the minimum required IOS release see the Cisco TrustSec Platform Support Matrix at the following U...

Page 72: ...SE will override any conflicting locally defined policy Step 2 To enable SGACL policy enforcement on egress traffic on routed ports enable SGACL policy enforcement globally as described in the Enabling SGACL Policy Enforcement Globally section on page 5 2 Step 3 To enable SGACL policy enforcement on switched traffic within a VLAN or on traffic that is forwarded to an SVI associated with a VLAN ena...

Page 73: ...d traffic within a VLAN or to traffic that is forwarded to an SVI associated with a VLAN To enable SGACL policy enforcement on a VLAN or a VLAN list perform this task Detailed Steps Catalyst 6500 Configuration Examples for Enabling SGACL Policy Enforcement on VLANs Catalyst 3850 Switch configure terminal Switch config cts role based enforcement vlan list 31 35 41 Switch config exit Command Purpose...

Page 74: ...tailed Steps for Catalyst 3850 Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 ip access list role based rbacl name Example Switch config ip access list role based allow_webtraff Creates a Role based ACL and enters Role based ACL configuration mode Step 3 sequence number default permit deny remark Example Switch config rb acl 10 permit tcp dst eq 80 dst eq ...

Page 75: ...d permissions from 50 to 70 XXX need output XX Step 5 no cts role based permissions default from sgt_num unknown to dgt_num unknown rbacls ipv4 rbacls Example Switch config cts role based permissions from 55 to 66 allow_webtraff Binds SGTs and DGTs to the RBACL The configuration is analogous to populating the permission matrix configured on the Cisco ISE or the Cisco Secure ACS Default Default per...

Page 76: ...row from the permissions matrix is displayed If the from and to keywords are omitted the entire permissions matrix is displayed If the from and to keywords are specified a single cell from the permissions matrix is displayed and the details keyword is available When details is entered the ACEs of the SGACL of the single cell are displayed This example shows how to display the content of the SGACL ...

Page 77: ...s refresh policy peer my_cisco_ise Performs an immediate refresh of the SGACL policies from the authentication server If a peer id is specified only the policies related to the specified peer connection are refreshed To refresh all peer policies press Enter without specifying an ID If an SGT number is specified only the policies related to that SGT are refreshed To refresh all security group tag p...

Page 78: ...5 8 Cisco TrustSec Switch Configuration Guide OL 22192 02 Chapter 5 Configuring SGACL Policies Refreshing the Downloaded SGACL Policies ...

Page 79: ...th a Security Group Tag SGT at the access device through DHCP snooping and IP device tracking The access device transmits that association binding through SXP to TrustSec hardware capable egress devices which maintain a continually updated table of Source IP to SGT bindings Packets are filtered on egress by the TrustSec hardware capable devices by applying security group ACLS SGACLs Endpoint Admis...

Page 80: ...o Router config if dot1x pae authenticator For additional information on configuring 802 1x authentication see the configuration guide for your access switch Verifying the 802 1X Configuration To verify 802 1X authentication configuration use the show authentication interface command Router show authentication interface gigabitEthernet 2 1 May 7 11 22 06 SYS 5 CONFIG_I Configured from console by c...

Page 81: ...tch config if mab For additional information on configuring MAB authentication see the configuration guide for your access switch Verifying the MAB Configuration To verify the MAC Authentication Bypass configuration use the show authentication interface command switch show authentication interface gigabitEthernet 2 1 Client list Interface MAC Address Domain Status Session ID Gi2 1 000c 293a 048e D...

Page 82: ...1 switch config if authentication port control auto switch config if authentication fallback FALLBACK_PROFILE6500 config if ip access group POLICY in For additional information on configuring web based authentication see the configuration guide for your access switch For additional information on the ip http server command see the Cisco IOS Network Management Command Reference entry at the at the ...

Page 83: ...our access switch For additional information on FAS see the Cisco document Flexible Authentication Order Priority and Failed Authentication at the following URL http www ciscosystems com pe en US prod collateral iosswrel ps6537 ps6586 ps6638 application_n ote_c27 573287_ps6638_Products_White_Paper html 802 1X Host Modes Four host classification modes can be configured per port Single Host Interfac...

Page 84: ...n see the configuration guide for your access switch Verifying the SGT to Endpoint Host Binding To verify that hosts are visible to DHCP Snooping and IP Device Tracking use the show ip dhcp snooping binding and show ip device tracking commands switch show ip dhcp snooping binding MacAddress IpAddress Lease sec Type VLAN Interface 00 0C 29 3A 04 8E 10 252 10 10 84814 dhcp snooping 10 GigabitEtherne...

Page 85: ...rustSec Endpoint Access Control Feature Histories For a list of supported platforms supported features and the minimum required IOS releases see the Cisco TrustSec Platform Support Matrix at the following URL http www cisco com en US solutions ns170 ns896 ns1051 trustsec_matrix html Otherwise see product release notes for detailed feature introduction information ...

Page 86: ...6 8 Cisco TrustSec Configuration Guide OL 22192 01 Chapter 6 Configuring Endpoint Admission Control Cisco TrustSec Endpoint Access Control Feature Histories ...

Page 87: ...rustSec Global Configuration Commands cts authorization list Configures CTS global authorization configuration cts cache Enables caching of TrustSec authorization and environment data information to DRAM and NVRAM cts manual Define CTS keystore behavior cts policy layer3 Specifies traffic and exception policies for CTS Layer 3 Transport gateway interfaces cts role based Maps IP addresses L3 interf...

Page 88: ...ds default cts manual interface configuration submode Restores default configurations for CTS manual mode policy cts manual interface configuration submode Configures CTS policy for manual mode propagate cts manual interface configuration submode Configures CTS SGT Propagation configuration for manual mode sap cts manual interface submode Configures CTS SAP for manual mode Cisco TrustSec Clear Com...

Page 89: ...raffic and exception policies used in CTS Layer3 Transport show cts provisioning Displays outstanding CTS provisioning jobs show cts role based sgt map Displays IP address to Security Group Tag mappings show cts role based counters Displays role based access control enforcement statistics for SGTs and DGTs show cts role based sgt map Displays IP to SGT bindings permission lists and NetFlow statist...

Page 90: ...horization debug cts authorization events debug cts authorization rbacl debug cts authorization snmp debug cts cache debug cts coa events debug cts dp errors debug cts dp info debug cts dp packets debug cts environment data debug cts environment data events debug cts error debug cts fips debug cts ha debug cts ha core debug cts ha infra debug cts ifc debug cts ifc cache debug cts ifc events debug ...

Page 91: ... states debug cts sxp debug cts sxp conn debug cts sxp error debug cts sxp internal debug cts sxp mdb debug cts sxp message debug dot 1x debug epm debug event debug mab debug radius debug rbm api debug rbm cli debug rbm bindings debug rbm dp errors debug rbm dp events debug rbm dp packets debug rbm platform debug rbm policy ...

Page 92: ...s a component of their TrustSec environment data Examples The following example displays an AAA configuration of a TrustSec seed device Router cts credentials id Switch1 password Cisco123 Router configure terminal Router config aaa new model Router config aaa authentication dot1x default group radius Router config aaa authorization network MLIST group radius Router config cts authorization list ML...

Page 93: ...tore is created using DRAM and NVRAM Cisco TrustSec creates a secure cloud of devices in a network by requiring that each device authenticate and authorize its neighbors with a trusted AAA server Cisco Secure ACS 5 1 or more recent before being granted access to the TrustSec network Once the authentication and authorization is complete the information could be valid for some time If caching is ena...

Page 94: ...ored in volatile memory information does not survive a reboot or nonvolatile memory information survives a reboot Examples The following example enables cache support Router config t Router config cts cache nv storage disk0 Router config cts cache enable Related Commands Command Description clear cts cache Clears the content of the keystore show cts keystore Displays the content of the keystore ct...

Page 95: ...so reconfigure the authentication server Note The cts change password is supported on Cisco Secure ACS 5 1 and more recent versions For Catalyst 6500 switches with dual supervisor chassis the hardware based keystores must be manually synchronized when inserting a second supervisor linecard A password change process may be invoked to make both active and standby supervisors have the same device pas...

Page 96: ... can be assigned a CTS identity by the Cisco Secure Access Control Server ACS or auto generate a new password when prompted to do so by the ACS Those credentials are stored in the keystore eliminating the need to save the running config To display the CTS device ID use the show cts credentials command The stored password is never displayed To change the device ID or the password reenter the comman...

Page 97: ...d cisco123 A different device ID is being configured This may disrupt connectivity on your CTS links Are you sure you want to change the Device ID confirm y TS device ID and password have been inserted in the local keystore Please make sure that the same ID and password are configured in the server database The following example displays the CTS device ID and password state Router show cts credent...

Page 98: ...delines Before configuring the TrustSec dot1x reauthentication timer configure dot1x globally from the interface from the Interface Configuration mode The CTS dot1x configuration governs TrustSec NDAC not TrustSec EAC processes Examples In the following example a Catalyst 6500 Series switch enters CTS configuration mode without first enabling dot1x in interface configuration mode Router config if ...

Page 99: ...iption default timer reauthentication cts interface Resets the CTS dot1x reauthentication timer to the default value timer reauthentication cts interface Sets the CTS dot1x reauthentication timer show cts interface Displays CTS interface status and configurations show dotx interface Displays IEEE 802 1x configurations and statistics ...

Page 100: ...econds When this timer expires the device reauthenticates to the CTS network NDAC Examples The following example resets the CTS reauthentication timer to the global default values Router configure terminal Router config interface gigabitEthernet 3 1 Router config if cts dot1x Router config if cts dot1x default timer reauthentication Related Commands timer reauthentication Sets the CTS reauthentica...

Page 101: ...stSec reauthentication timer When this timer expires the device reauthenticates to the CTS network NDAC Examples The following example sets the reauthentication timer to 44 seconds Router config if cts dot1x timer reauthentication 44 Related Commands reauthentication seconds Sets the reauthentication timer Release Modification 12 2 33 SXI This command was introduced on the Catalyst 6500 series swi...

Page 102: ...interface and to apply the traffic and exception policies See cts policy layer3 for further information on traffic and exception policies Examples The following example enables a CTS Layer3 Transport gateway interface Router config t Router config interface gigabitEthernet 6 1 Router config if cts layer3 ipv4 trustsec forwarding Router config if cts layer3 ipv4 trustsec Router config if cts layer3...

Page 103: ...al mode is configured 802 1X authentication is not performed on the link Use the policy subcommand to define and apply policy on the link The default is no policy To configure MACsec link to link encryption the SAP negotiation parameters must be defined The default is no SAP The same SAP PMK should be configured on both sides of the link that is a shared secret Examples The following example demon...

Page 104: ...Configuration Guide OL 22192 01 Chapter 7 Cisco TrustSec Command Summary cts manual Related Commands Command Description policy cts manual interface configuration submode sap cts manual interface submode show cts interface ...

Page 105: ...is an access list that lists the traffic on which not to apply the CTS Layer 3 Transport encapsulation For example the RADIUS packets used to acquire the policy should be sent in the clear Specify the traffic and exception policies with the cts policy layer3 ipv4 ipv6 traffic access_list and the cts policy layer3 ipv4 ipv6 exception access_list global configuration commands Apply the traffic and e...

Page 106: ...tion policy have been manually configured the manually configured policies will be used If the authentication server is not available but a traffic policy has been configured with no exception policy no exception policy is applied Cisco TrustSec Layer 3 encapsulation will be applied on the interface based on the traffic policy If the authentication server is not available and no traffic policy has...

Page 107: ...olicy refresh command can force immediate refresh of the policy before the Cisco ACS timer expires This command is relevant only to TrustSec devices that can impose Security Group Tags SGTs and enforce Security Group Access Control Lists SGACLs environment data Refreshes environment data peer Peer ID Optional If a peer id is specified only the policies related to the specified peer connection are ...

Page 108: ...w cts policy peer CTS Peer Policy device id of the peer that this local device is connected to Peer name VSS 2T 1 Peer SGT 1 02 Trusted Peer TRUE Peer Policy Lifetime 120 secs Peer Last update time 12 19 09 UTC Wed Nov 18 2009 Policy expires in 0 00 01 51 dd hr mm sec Policy refreshes in 0 00 01 51 dd hr mm sec Cache data applied NONE Related Commands Command Description cts refresh clear cts poli...

Page 109: ...administration security requirements To manually force a PMK refresh use the cts rekey command TrustSec supports a manual configuration mode where Dot1X authentication is not required to create link to link encryption between switches In this case the PMK is manually configured on devices on both ends of the link with the sap pmk CTS manual interface configuration command Examples The following ex...

Page 110: ...7 24 Cisco TrustSec Configuration Guide OL 22192 01 Chapter 7 Cisco TrustSec Command Summary cts rekey Related Commands Command Description sap cts manual interface submode show cts ...

Page 111: ... sg_name sgt sgt_num vlan vlan_id vrf vrf_name cts role based policy trace ipv4 ipv6 ip_port_num icmp ip source_host ip_address dest_host ip_address interface type slot port security group sgname sg_name sgt sgt_num vlan vlan_id vrf vrf_name Syntax Description ipv4 ipv6 Specifies IPv4 or IPv6 IP encapsulation ip_port_num icmp ip tcp udp Specifies the Internet Protocol or its number Supported proto...

Page 112: ...olete 42 netbios dgm NetBios datagram service 138 netbios ns NetBios name service 137 netbios ss NetBios session service 139 non500 isakmp Internet Security Association and Key Management Protocol 4500 ntp Network Time Protocol 123 pim auto rp PIM Auto RP 496 rip Routing Information Protocol router in routed 520 snmp Simple Network Management Protocol 161 snmptrap SNMP Traps 162 sunrpc Sun Remote ...

Page 113: ...ide the optional SGT argument in the command line the output reports the SGT assigned to the packet along with any available binding information For example a packet may be dropped because a device is blocking UDP packets which may indicate a problem with an SGACL configuration or SGACL refresh obtained from another device such as the Cisco Integrated Services Engine Cisco ISE The policy trace com...

Page 114: ...y udp The following example traces an HTTP over UDP packet from an IPv6 host switch cts role based policy trace ipv6 udp host 2001 3 eq 80 host 2003 4 eq 90 Input Qualifiers Packet Parameters Protocol UDP Source IP Address 2001 3 Source Port 80 Destination IP Address 2003 4 Destination Port 90 Result Source IP 5111 3 SGT 16 Source CLI Destination IP 13 4 SGT 17 Source CLI For SGT DGT pair 16 17 Ap...

Page 115: ...ress prefix ipv6_netaddress prefix sgt sgt_number no cts role based sgt map host ipv4_hostaddress ipv6_hostaddress sgt sgt_number no cts role based sgt map vrf instance_name ip4_netaddress ipv6_netaddress host ip4_address ip6_address sgt sgt_number no cts role based sgt map interface interface_type slot port security group sgt sgt_number no cts role based sgt map vlan list vlan_ids all slot port s...

Page 116: ...ostaddress ipv6_hostaddress Binds the specified host IP address with the specified SGT Enter the IPv4 address in dot decimal notation IPv6 in colon hexadecimal notation sgt sgt_number 0 65 535 Specifies the Security Group Tag SGT number vrf instance_name Specifies a VRF instance previously created on the device Release Modification 12 2 33 SXI3 This command was introduced on the Catalyst 6500 seri...

Page 117: ...es a Virtual Routing and Forwarding table previously defined with the vrf definition global configuration command The configuration of VRF contexts is outside the scope of this document The IP SGT binding specified with the cts role based sgt map vrf global configuration command is entered into the IP SGT table associated with the specified VRF and the IP protocol version which is implied by the t...

Page 118: ...rd all is equivalent to the full range of VLANs supported by the network device The keyword all is not preserved in the nonvolatile generation NVGEN process If the cts role based l2 vrf command is issued more than once for the same VRF each successive command entered adds the specified VLAN IDs to the specified VRF The VRF assignments configured by the cts role based l2 vrf command are active as l...

Page 119: ...n the flow record with the standard 5 tuple flow objects Use the flow record and flow exporter global configuration commands to configure a flow record and a flow exporter then use the flow monitor command add them to a flow monitor Use the show flow show commands to verify your configurations To collect only SGACL dropped packets use the no cts role based ip ipv6 flow monitor dropped global confi...

Page 120: ...AN 57 and 89 through 101 to VRF l2ipv4 The VRF was created with the vrf global configuration command Cat6k config cts role based l2 vrf l2ipv4 vlan list 57 89 101 Related Commands Command Description cts sxp Configures SXP on a network device cts sgt Configures local device security group tag show cts role based sgt map Displays role based access control information ...

Page 121: ...d chooses the server with the least outstanding transactions By default no load balancing is applied batch size transactions Optional The number of transactions to be assigned per batch The default transactions is 25 Note Batch size may impact throughput and CPU load It is recommended that the default batch size 25 be used because it is optimal for high throughput without adversely impacting CPU l...

Page 122: ...Group Deadtime 20 secs default Global Server Liveness Automated Test Deadtime 20 secs Global Server Liveness Automated Test Idle Time 60 mins Global Server Liveness Automated Test ENABLED default Preferred list 1 server s Server 10 15 20 102 port 1812 A ID 87B3503255C4384485BB808DC24C6F55 Status ALIVE auto test TRUE idle time 120 mins deadtime 20 secs Installed list SL1 1E6E6AE57D4E2A9B320D1844C68...

Page 123: ...rustSec Configuration Guide OL 22192 01 Chapter 7 Cisco TrustSec Command Summary cts server Related Commands Command Description show cts server list Displays lists of AAA servers and load balancing configurations ...

Page 124: ...ication server is not accessible but an authentication server assigned SGT will take precedence over a manually assigned SGT Examples The following example shows how to manually configure an SGT on the network device Router configure terminal Router config cts sgt 1234 Router config exit Related Commands tag number Configures the SGT for packets sent from this device The tag argument is in decimal...

Page 125: ...o cts sxp mapping network map bindings no cts sxp reconciliation period seconds no cts sxp retry period seconds Syntax Description connection peer ip4_address Specifies the peer SXP address password default none Specifies the password that SXP will use for the peer connection using the following options default Use the default SXP password you configured using the cts sxp default password command ...

Page 126: ...SGT Exchange Protocol over TCP SXP for Cisco TrustSec log binding changes Turns on logging for IP to SGT binding changes Default is off reconciliation period seconds Changes the SXP reconciliation timer The range is from 0 to 64000 Default is 120 seconds 2 minutes retry period seconds Changes the SXP retry timer The range is from 0 to 64000 Default value is 120 seconds 2 minutes sxp Disabled by de...

Page 127: ...wn timer Reconciliation timer Retry Timer The Retry timer is triggered if there is at least one SXP connection that is not up A new SXP connection is attempted when this timer expires Use the cts sxp retry period command to configure this timer value The default value is 120 seconds The range is 0 to 64000 seconds A zero value results in no retry being attempted Delete Hold Down Timer The Delete H...

Page 128: ...sxp default source ip 10 10 1 1 SwitchA config cts sxp connection peer 10 20 2 2 password default mode local speaker The following example shows how to configure the SXP peer connection on SwitchB a listener for connection to SwitchA a speaker SwitchB configure terminal SwitchB config cts sxp enable SwitchB config cts sxp default password Cisco123 SwitchB config cts sxp default source ip 10 20 2 2...

Page 129: ... cts cache environment data Router Note Clearing peer authorization and SGT policies are relevant only to TrustSec devices capable of enforcing SGACLs Related Commands authorization policies peer sgt Clears all cached SGT and peer authorization policies environment data Clears environment data cache file filename file Specifies filename of cache file to clear interface controller type slot port Sp...

Page 130: ...Sec counters on all TrustSec interfaces are cleared Examples The following example clears CTS statistics for GigabitEthernet interface 3 1 then confirms with the show cts interface command a fragment of the show command output is displayed Router clear cts counter gigabitEthernet3 1 Router show cts interface gigabitEthernet3 1 Global Dot1x feature is Disabled Interface GigabitEthernet3 1 snip Stat...

Page 131: ...sco TrustSec Configuration Guide OL 22192 01 Chapter 7 Cisco TrustSec Command Summary clear cts counter Related Commands Command Description show cts interface Displays CTS interface status and configurations ...

Page 132: ...Defaults None Command Modes Privileged EXEC SupportedUserRoles Administrator Command History Examples Router clear cts credentials Router clear cts environment data Router show cts environment data CTS Environment Data Current state START Last status Cleared Environment data is empty State Machine is running Retry_timer 60 secs is running Related Commands Release Modification 12 2 33 SXI This comm...

Page 133: ...r cts environment data Syntax Description This command has no arguments or keywords Defaults None Command Modes Privileged EXEC SupportedUserRoles Administrator Command History Examples The following example clears environment data from cache Router clear cts environment data Related Commands Release Modification 12 2 33 SXI This command was introduced on the Catalyst 6500 series switches Command ...

Page 134: ...escription Command Modes Privileged EXEC SupportedUserRoles Administrator Command History Examples The following example clears the counters on a gigabitEthernet interface on a Catalyst 6500 series switch Router clear cts macsec counters interface gigabitEthernet 6 2 Related Commands interface type slot port Specifes the interface Release Modification 12 2 50 SY This command was introduced on the ...

Page 135: ...XEC SupportedUserRoles Administrator Command History Examples The following command clears all PACs in the keystore Router clear cts pac all Related Commands A ID hexstring Specifies the authenticator ID A ID of the PAC to be removed from the keystore all Specifies that all PACs on the device be deleted Release Modification 12 2 33 SXI This command was introduced on the Catalyst 6500 series switch...

Page 136: ...icy of all TrustSec peers use the clear cts policy peer command without specifying a peer ID To clear the Security Group tag of the TrustSec peer use theclear cts policy sgt command Use the show cts policy peer command to verify The following example clears the peer authorization policy of the TrustSec peer with the peer ID atlas2 Router clear cts policy peer atlas2 Delete all peer policies confir...

Page 137: ...L 22192 01 Chapter 7 Cisco TrustSec Command Summary clear cts policy Related Commands Command Description cts refresh Forces refresh of peer authorization policies show cts policy peer Displays the peer authorization policies of TrustSec peers ...

Page 138: ...clear the Security Group ACL SGACL enforcement counters within the scope you specify The show cts role based counters tabulates the statistics accumulated since the last clear command was issued as shown in Example 7 1 Example 7 1 Tabulated SGACL Output from show role based counters router show cts role based counters Role based counters From To SW Denied HW Denied SW Permitted HW_Permitted 2 5 12...

Page 139: ...or the entire permission matrix are cleared when both the from and clauses to keywords are omitted The default keyword clears the statistics of the default unicast policy When neither ipv4 nor ipv6 are specified the command clears only IPv4 counters Examples The following example clears all role based counters compiling statics for SGACL enforcements on IPv4 traffic router clear cts role based cou...

Page 140: ...mand removes a server from the list of CTS AAA servers configured with the cts authorization list global configuration command or the AAA server list provisioned by the CTS authenticator peer Examples The following example removes the AAA server 10 10 10 1 from the CTS AAA server list router clear cts server 1 1 1 1 Related Commands ip_address IPv4 address of the AAA server to be removed from the ...

Page 141: ...dUserRoles Administrator Command History Examples The following example re enables SGT propagation router config t router config interface gigabit 6 1 router config if cts dot1x router config if cts dot1x default propagate sgt Related Commands propagate sgt Restores default to enabled for propagate sgt sap Restores default to sap modelist gcm encrypt null timer Restores default 86 400 seconds for ...

Page 142: ...d destination IP addresses To filter by VRF or IP to SGT bindings use the non cts condtional debug commands debug condition ip and debug condition vrf The debug conditions are not saved in the running configuration file Examples In following example messages for debug cts ifc events and debug cts authentication details are filtered by peer id SGT and SGN Interface Controller ifc and Authentication...

Page 143: ...P debug messages that contain IP address 10 10 10 1 or security group tag 8 or security group name engineering are displayed switch debug condition ip 10 10 10 1 Condition 1 set switch debug condition cts security group tag 8 Condition 2 set switch debug condition cts security group name engineering Condition 3 set switch show debug condition Condition 1 ip 10 10 10 1 0 flags triggered Condition 2...

Page 144: ...S manual interface configuration submode parameters to default values use the default subcommand Examples The following example restores the default dynamic policy and SGT propagation policies of a Catalyst 6500 series switch CTS enabled interface router config t router config interface gigbitEthernet 6 1 router config if cts manual router config if cts manual default policy dynamic identity route...

Page 145: ... TrustSec Command Summary default cts manual interface configuration submode Related Commands Command Description policy cts manual interface configuration submode Configures CTS policy for manual mode sap cts manual interface submode Configures CTS SAP for manual mode ...

Page 146: ...onfigure a flow record and a flow exporter then use the flow monitor command to add them to a flow monitor Use the show flow show commands to verify your configurations To collect only SGACL dropped packets use the no cts role based ip ipv6 flow monitor dropped global configuration command For Flexible NetFlow overview and configuration information see the following documents Getting Started with ...

Page 147: ...low record match transport source port router config flow record match transport destination port router config flow record match flow direction router config flow record match flow cts source group tag router config flow record match flow cts destination group tag router config flow record collect counter packets Related Commands Command Description show flow monitor Displays the status and stati...

Page 148: ...ministrator Command History Examples The following example enables the CTS ingress reflector on a Catalyst 6500 switch switch config platform cts egress The following example disables the CTS ingress reflector on a Catalyst 6500 switch switch config no platform cts egress Related Commands egress Specifies the egress TrustSec reflector to be enabled or disabled ingress Specifies the ingress TrustSe...

Page 149: ...is as follows If the policy static command is configured the packet is tagged with the SGT configured in the policy static command If the policy dynamic command is configured the packet is not tagged If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT the tagging policy is as follows If the policy static command is configured without the trusted keyword the SGT is r...

Page 150: ...for traffic already tagged the interface that has no communication with a Cisco Secure ACS server Router configure terminal Router config interface gi2 1 Router config if cts manual Router config if cts manual sap pmk 1234abcdef mode list gcm null no encap Router config if cts manual policy static sgt 3 trusted Router config if cts manual exit Router config if shutdown Router config if no shutdown...

Page 151: ...led 0 replay error 0 Egress control frame bypassed 0 esp packets 0 sgt filtered 0 sap frame bypassed 0 unknown sa dropped 0 unknown sa bypassed 0 Related Commands Command Description show cts interface Displays TrustSec configuration statistics per interface default cts manual interface configuration submode Restores default configurations for CTS manual mode policy cts manual interface configurat...

Page 152: ...he peer for the transmittal of the SGT tag and data MACsec is an 802 1AE standard based link to link protocol used by switches and servers A peer can support MACsec but not SGT encapsulation In such a case it is recommended that this Layer 2 SGT propagation be disabled with the no propagate sgt CTS Dot1x interface configuration command To re enable the SGT propagation enter the propagate sgt comma...

Page 153: ...iphers gcm encrypt null Replay protection enabled Replay protection mode STRICT Selected cipher Propagate SGT Disabled snip Related Commands Command Description show cts interface Displays Cisco TrustSec states and statistics per interface sap cts dot1x interface submode Configures CTS SAP for dot1x mode timer cts do1x interface submode Configures the CTS timer ...

Page 154: ... generation NVGEN process for example copy system running config A TrustSec capable interface can support MACsec Layer2 802 1AE security and SGT tagging A TrustSec capable interface attempts to negotiate the most secure mode with its peer The peer may be capable of MACsec but not capable of SGT processing In a manual CTS interface configuration disable the SGT propagation on the CTS capable interf...

Page 155: ... 7 Cisco TrustSec Command Summary propagate cts manual interface configuration submode Related Commands Command Description show cts interface Displays Cisco TrustSec states and statistics per interface show running config Displays current system configurations ...

Page 156: ...sion of the 802 11i IEEE protocol SAP is used to establish and maintain the 802 1AE link to link encryption MACsec between interfaces that support MACsec Before the SAP exchange begins after a Dot1x authentication both sides supplicant and authenticator have received the Pairwise Master Key PMK and the MAC address of the peer s port from the Cisco Secure Access Control Server Cisco Secure ACS If 8...

Page 157: ...gured in multi hosts mode The authenticator PAE starts only when dot1x system auth control is enabled globally Examples The following example specifies that SAP is to negotiate the use of CTS encapsulation with GCM cipher or null cipher as a second choice but can accept no CTS encapsulation if the peer does not support CTS encapsulation in hardware Router config if cts dot1x sap modelist gcm encry...

Page 158: ...a draft version of the 802 11i IEEE protocol In a TrustSec configuration the keys are used for MACsec link to link encryption between two interfaces If 802 1X authentication is not possible SAP and the Pairwise Master Key PMK can be manually configured between two interfaces with the sap pmk command When using 802 1X authentication both sides supplicant and authenticator receive the PMK and the MA...

Page 159: ...cts manual interface configuration submode Restores default configurations for CTS manual mode policy cts manual interface configuration submode Configures CTS policy for manual mode propagate cts manual interface configuration submode Configures CTS SGT Propagation configuration for manual mode show cts interface Displays TrustSec configuration statistics per interface ...

Page 160: ...unters role based flow role based permissions role based sgt map server list sxp connections sxp sgt map Syntax Description authorization Displays the authorization entries credentials Displays credentials used for CTS authentication environment data Displays the CTS environment data interface Displays CTS interface status and configuration keystore Displays keystore information macsec Displays MA...

Page 161: ...CTS interfaces in corresponding IFC state INIT state 19 AUTHENTICATING state 0 AUTHORIZING state 0 SAP_NEGOTIATING state 0 OPEN state 5 HELD state 0 DISCONNECTING state 0 INVALID state 0 CTS events statistics authentication success 14 authentication reject 19 authentication failure 0 authentication logoff 1 authentication no resp 0 authorization success 19 authorization failure 3 sap success 12 sa...

Page 162: ...7 76 Cisco TrustSec Configuration Guide OL 22192 01 Chapter 7 Cisco TrustSec Command Summary show cts Related Commands Command Description cts credentials Specifies the TrustSec ID and password ...

Page 163: ...05D8C1 Entry State COMPLETE Entry last refresh 01 19 37 UTC Sat Dec 8 2007 Session queuesize 1 Interface Gi2 3 status SUCCEEDED Peer policy last refresh 01 19 37 UTC Sat Dec 8 2007 SGT policy last refresh 01 19 37 UTC Sat Dec 8 2007 Peer policy refresh time 2000 Policy expires in 0 00 28 26 dd hr mm sec Policy refreshes in 0 00 28 26 dd hr mm sec Retry_timer not running Cache data applied NONE Ent...

Page 164: ... State COMPLETE Entry last refresh 01 30 37 UTC Sat Dec 8 2007 session queuesize 0 Peer policy last refresh 00 20 37 UTC Sat Dec 8 2007 SGT policy last refresh 01 30 37 UTC Sat Dec 8 2007 Peer policy refresh time 0 SGT policy refresh time 2000 Policy expires in 0 00 29 27 dd hr mm sec Policy refreshes in 0 00 29 27 dd hr mm sec Retry_timer not running Cache data applied NONE Entry status SUCCEEDED...

Page 165: ...s credentials Syntax Description This command has no commands or keywords Defaults None Command Modes EXEC Privileged EXEC SupportedUserRoles Administrator Command History Examples Router show cts credentials CTS password is defined in keystore device id r4 Related Commands Release Modification 12 2 33 SXI This command was introduced on the Catalyst 6500 series switches Command Description cts cre...

Page 166: ...ts environment data CTS Environment Data Current state COMPLETE Last status Successful Local Device SGT SGT tag 11 ea7f3097b64bc9f8 Server List Info Preferred list 0 server s Installed list SL1 15A25AC3633E7F074FF7E0B45861DF15 1 server s Server 43 1 1 3 port 1812 A ID 05181D8147015544BC20F0119BE8717E Status ALIVE auto test TRUE idle time 60 mins deadtime 20 secs Multicast Group Addresses Multicast...

Page 167: ...rustSec Configuration Guide OL 22192 01 Chapter 7 Cisco TrustSec Command Summary show cts environment data Related Commands Command Description clear cts environment data Clears TrustSec environment data from cache ...

Page 168: ...e is Enabled Interface GigabitEthernet4 1 CTS is enabled mode DOT1X IFC state OPEN Authentication Status SUCCEEDED Peer identity r1 Peer is CTS capable 802 1X role Authenticator Reauth period configured 0 locally not configured Reauth period per policy 3000 server configured Reauth period applied to link 3000 server configured Authorization Status SUCCEEDED Peer SGT 0 Peer SGT assignment Untrusted...

Page 169: ...8160FE3C 0C33EF9A C01FCBAC Statistics authc success 1 authc reject 18 authc failure 0 authc no response 0 authc logoff 0 sap success 0 sap fail 0 authz success 1 authz fail 0 port auth fail 0 Ingress control frame bypassed 0 sap frame bypassed 0 esp packets 0 unknown sa 0 invalid sa 0 inverse binding failed 0 auth failed 0 replay error 0 Egress control frame bypassed 0 esp packets 0 sgt filtered 0...

Page 170: ...nfigured Reauth period applied to link 3000 server configured Authorization Status SUCCEEDED Peer SGT 0 Peer SGT assignment Untrusted SAP Status NOT APPLICABLE Dot1x Info for GigabitEthernet4 1 PAE AUTHENTICATOR PortControl AUTO ControlDirection Both HostMode MULTI_HOST ReAuthentication Enabled QuietPeriod 60 ServerTimeout 30 SuppTimeout 30 ReAuthPeriod 3000 Locally configured ReAuthMax 2 MaxReq 2...

Page 171: ...or SAs are 1 and 2 The delta keyword lists the counter values since the clear cts macsec counters interface command was issued Examples The following example displays the MACsec counters of a manually configured CTS uplink interface on a Catalyst 6500 series switch router show cts macsec counters interface gigabitEthernet 6 2 CTS Security Statistic Counters rxL2UntaggedPkts 0 rxL2NotagPkts 0 rxL2S...

Page 172: ...sco TrustSec Command Summary show cts macsec ifInDiscards 0 ifInUnknownProtos 0 ifOutDiscards 0 dot1dDelayExceededDiscards 0 txCRC 0 linkChange 0 Related Commands Command Description show cts interface sap cts dot1x interface submode sap cts manual interface submode ...

Page 173: ...vice named atlas Router show cts pacs AID 1100E046659D4275B644BF946EFA49CD PAC Info PAC type Cisco Trustsec AID 1100E046659D4275B644BF946EFA49CD I ID atlas A ID Info acs1 Credential Lifetime 13 59 27 PDT Jun 5 2010 PAC Opaque 000200B000030001000400101100E046659D4275B644BF946EFA49CD0006009400 0301008285A14CB259CA096487096D68D5F34D000000014C09A6AA00093A808ACA80B39EB656AF0B CA91F3564DF540447A11F9ECDF...

Page 174: ...ormation on the CTS Layer3 Transport feature Examples The following example displays the output of the show cts policy3 command router show cts policy layer3 ipv4 No CTS L3 IPV4 policy received from ACS Local CTS L3 IPv4 exception policy name cts exceptions local Local CTS L3 IPv4 traffic policy name cts traffic local Current CTS L3 IPv4 exception policy name cts exceptions local Current CTS L3 IP...

Page 175: ... 2T 1 Peer SGT 1 02 Trusted Peer TRUE Peer Policy Lifetime 120 secs Peer Last update time 12 19 09 UTC Wed Nov 18 2009 Policy expires in 0 00 01 51 dd hr mm sec Policy refreshes in 0 00 01 51 dd hr mm sec Cache data applied NONE Release Modification 12 2 33 SXI This command was introduced on the Catalyst 6500 series switches Output Field Explanation Peer name CTS device id of the peer to which the...

Page 176: ...fter this elapsed time Policy refreshes in 0 00 01 51 dd hr mm sec This peer policy will be refreshed after this elapsed time Cache data applied NONE This policy was not populated from cache i e it was acquired from the ACS Output Field Explanation Command Description cts refresh Forces refresh of peer authorization policies clear cts policy Clears the peer authorization policy of a TrustSec peer ...

Page 177: ...tected access credential provisioning PAC provisioning jobs Reprovisioning occurs when PACs expire or devices are reconfigured Examples The following output displays a list of AAA servers that the CTS provisioning driver is re trying for PAC provisioning router show cts provisioning A ID 0b2d160f3e4dcf4394262a7f99ea8f63 Server 41 16 19 201 using existing PAC Req ID EB210008 callback func 418A8990 ...

Page 178: ...show cts role based counters command to display the Security Group ACL SGACL enforcement statistics Use the clear cts role based counters to reset all or a range of statistics Specify the source SGT with the from keyword and the destination SGT with the to keyword All statistics are displayed when both the from and to keywords are omitted The default keyword displays the statistics of the default ...

Page 179: ...cts role based counters Role based counters From To SW Denied HW Denied SW Permitted HW_Permitted 2 5 129 89762 421 7564328 3 5 37 123456 1325 12345678 3 7 0 65432 325 2345678 Related Commands Command Description clear cts role based counters Resets Security Group ACL statistic counters cts role based Manually maps a source IP address to a Security Group Tag SGT on either a host or a VRF as well a...

Page 180: ... the 8 most significant bits identify the networks and the 24 least significant bits the hosts ipv6_hex Specifies an IP version 6 address in hexadecimal separated by colons For example 2001 db8 85a3 8a2e 370 7334 ipv6_cidr Specifies a range of IPv6 address in hexadecimal CIDR notation host ipv4_decimal ipv6_hex Specifies mappings for a specific IPv4 or IPv6 host Use dot decimal and hex colon notat...

Page 181: ...ddress and SGT source names Router show cts role based sgt map all Active IP SGT Bindings Information IP Address SGT Source 1 1 1 1 7 INTERNAL 10 252 10 1 7 INTERNAL 10 252 10 10 3 LOCAL 10 252 100 1 7 INTERNAL 172 26 208 31 7 INTERNAL IP SGT Active Bindings Summary Total number of LOCAL bindings 1 Total number of INTERNAL bindings 4 Total number of active bindings 5 Related Commandss Command Desc...

Page 182: ...r list CTS Server Radius Load Balance DISABLED Server Group Deadtime 20 secs default Global Server Liveness Automated Test Deadtime 20 secs Global Server Liveness Automated Test Idle Time 60 mins Global Server Liveness Automated Test ENABLED default Preferred list 1 server s Server 10 0 1 6 port 1812 A ID 1100E046659D4275B644BF946EFA49CD Status ALIVE auto test TRUE idle time 60 mins deadtime 20 se...

Page 183: ...configuration on a Catalyst 6500 series switch Router show cts sxp connections SXP Disabled Default Password Not Set Default Source IP Not Set Connection retry open period 120 secs Reconcile period 120 secs Retry open timer is not running There are no SXP Connections connections Displays CTS SXP connections information sgt map Displays the IP SGT mappings received through SXP brief Optional Displa...

Page 184: ...y open period 10 secs Reconcile period 120 secs Retry open timer is not running Peer IP 2 2 2 1 Source IP 2 2 2 2 Set up Peer Conn status On Connection mode SXP Listener Connection inst 1 TCP conn fd 1 TCP conn password not set using default SXP password Duration since last state change 0 00 01 25 dd hr mm sec Peer IP 3 3 3 1 Source IP 3 3 3 2 Set up Peer Conn status On Connection mode SXP Listene...

Page 185: ...tion since last state change 0 00 05 49 dd hr mm sec Total num of SXP Connections 2 The following example displays the current SourceIP to SGT mapping database learned through SXP router show cts sxp sgt map IP SGT Mappings as follows IPv4 SGT 2 2 2 1 7 source SXP Peer IP 2 2 2 1 Ins Num 1 IPv4 SGT 2 2 2 1 7 source SXP Peer IP 3 3 3 1 Ins Num 1 Status Active IPv4 SGT 3 3 3 1 7 source SXP Peer IP 2...

Page 186: ...les The following example displays the contents of a Catalyst 6500 software emulated keystore Router show cts keystore No hardware keystore present using software emulation Keystore contains the following records S Simple Secret P PAC R RSA Index Type Name 0 P 05181D8147015544BC20F0119BE8717E 1 S CTS password The following example displays the contents of a Catalyst 6500 hardware keystore Router s...

Page 187: ...ommand Summary show cts keystore RX FIFO underruns 12 RX timeouts 0 RX bad checksums 0 RX bad fragment lengths 0 Corruption Detected in keystore 0 Related Commands Command Description cts credentials Specifies the TrustSec ID and password cts sxp Configures SXP on a network device ...

Page 188: ...ow platform cts reflector command show platformcts reflector interface type slot port Syntax Description Command Modes Privileged EXEC SupportedUserRoles Administrator Command History Related Commands interface type slot port Specifies the interface type slot and port for which to display status Release Modification 12 2 50 SY This command was introduced on the Catalyst 6500 Series Switches Comman...

Page 189: ...hentication period is specified the default period is 86 400 seconds To disable dot1x reauthentication use the no form of the command or specify a period of 0 seconds Use the default timer reauthentication command to restore the default value Examples The following example sets the 802 1X reauthentication period for 48 hours 17 2800 seconds router config t router config interface gigabitEthernet 6...

Page 190: ...7 104 Cisco TrustSec Configuration Guide OL 22192 01 Chapter 7 Cisco TrustSec Command Summary timer cts do1x interface submode ...

Page 191: ...www cisco com en US netsol ns1051 index html See also the Matrix of Cisco TrustSec Enabled Infrastructure at the following URL http www cisco com en US solutions ns170 ns896 ns1051 trustsec_matrix html Configuration Guidelines and Restrictions Global Cat3K Restrictions AAA for Cisco TrustSec requires RADIUS and is supported only by the Cisco Identity Services Engine Cisco ISE Release1 2 with patch...

Page 192: ...o an SGT When you configure IP address to SGT mappings the IP address prefix must be 32 If a port is configured in Multi Auth mode all hosts connecting on that port must be assigned the same SGT When a host tries to authenticate its assigned SGT must be the same as the SGT assigned to a previously authenticated host If a host tries to authenticate and its SGT is different from the SGT of a previou...

Page 193: ...ches Propagation of Security Group Tag in the CMD header is supported on the supervisor engine uplink ports the WS X47xx series line cards and the WS X4640 CSFP E linecard The way Destination Security tag DGT is derived for switched traffic i e traffic forwarded between ports in the same VLAN or subnet is restricted A maximum of 2000 IP SGT mappings exists for DGT derivation Though you can configu...

Page 194: ...gs supported by SGACL is similar to what the other ACLs support The maximum number of ACEs supported in the Default SGACL policy is 512 The IP SGT mapping based on the Source IP address in the packet takes precedence over the SGT tag present in the CMD header of incoming traffic even if the ingress port is in trusted state This deviates from the default behavior which dictates that if the port is ...

Page 195: ... and IOS images supported see the latest Product Bulletins at the following URL http www cisco com en US netsol ns1051 index html See also the Matrix of Cisco TrustSec Enabled Infrastructure at the following URL http www cisco com en US solutions ns170 ns896 ns1051 trustsec_matrix html Flexible NetFlow Support Release Feature History 15 1 1 SY1 The following Flexible NetFlow flow exporter configur...

Page 196: ...an IPV4 Flow Record 5 tuple direction SGT DGT router config flow record cts record ipv4 router config flow record match ipv4 protocol router config flow record match ipv4 source address router config flow record match ipv4 destination address router config flow record match transport source port router config flow record match transport destination port router config flow record match flow directi...

Page 197: ... 255 0 Ingress IPv4 unicast only and egress unicast only router config if ip flow monitor cts monitor ipv4 unicast input router config if ip flow monitor cts monitor ipv4 unicast output Ingress IPV4 L2 switched traffic only router config if ip flow monitor cts monitor ipv4 layer2 switched input Ingress Ipv4 multicast and egress IPv4 multicast traffic only router config if ip flow monitor cts monit...

Page 198: ...URL http www cisco com en US products hw switches ps708 products_system_message_guides_list html The Error Message Decoder Tool is at the following URL http www cisco com en US support tsd_most_requested_tools html FIPS Support The Federal Information Processing Standard FIPS certification documents for Catalyst 6500 series switch software and hardware combinations are posted on the following webs...

Page 199: ... works only with Cisco Identity Services Engine 1 1 or Cisco ACS Release 5 2 or later releases HTTPS TLS access to the module is allowed in FIPS approved mode of operation using SSLv3 1 TLSv1 0 and a FIPS approved algorithm SSH access to the module is allowed in FIPS approved mode of operation using SSHv2 and a FIPS approved algorithm Many SSH clients provide cryptographic libraries that can be se...

Page 200: ...C 6 Cisco TrustSec Configuration Guide OL 22192 01 Appendix C Notes for Catalyst 6500 Series Switches FIPS Support ...

Page 201: ...licant device is admitted into the TrustSec Network C CTS Cisco Trusted Security or Cisco TrustSec or TrustSec E EAC Endpoint Admission Control A process of assigning SGT values to a specific IP address of the endpoint Depending on hardware and software support an SGT can be assigned to a source IP address with 802 1X authentication MAC Authentication Bypass Web Authentication Bypass manual assign...

Page 202: ...ity RBACL Role based Access Control List Often used to characterize SGACL because TrustSec uses the RBAC features of the Cisco Secure ACS S SAP Security Association Protocol negotiates keys and cipher suite for link encryption after successful authentication and authorization for NDAC SAP is derived from the 802 11i standard SAP negotiation can be automatically initiated after NDAC process or the ...

Page 203: ...SXP SGT Exchange Protocol Allows devices with SXP support to build a source IP to SGT binding table and then transfers the table to TrustSec hardware capable devices through an out of bound TCP connection using MD5 based authentication T TrustSec Trusted Security Same as Cisco Trusted Security CTS TrustSec Hardware capable A network device that can tag traffic with SGTs enforce SGACLs and establis...

Page 204: ...Glossary GL 4 Cisco TrustSec Configuration Guide OL 22192 01 ...

Page 205: ...otiation 1 12 seed device 1 1 1 11 3 2 SGACLs 1 10 SGTs 1 7 to 1 10 3 11 SXP 4 1 Cisco TrustSec See CTS Cisco TrustSec authentication description 1 6 Cisco TrustSec caching clearing 4 10 enabling 4 9 Cisco TrustSec device credentials description 1 6 Cisco TrustSec device identities description 1 6 Cisco TrustSec environment data download 1 11 Cisco TrustSec manual mode configuring 3 6 Cisco TrustS...

Page 206: ...IPM configuring 3 7 description 1 9 L L2 VRF assignment 7 32 L3IF SGT mapping 3 20 M MAB 6 3 MACSec See Cisco TrustSec link security management interfaces default settings 3 12 3 17 Media Access Control Security See Cisco TrustSec link security mgmt0 interfaces default settings 3 12 3 17 N NDAC for Cisco TrustSec 1 3 NetFlow C 1 Network Device Admission Control See NDAC P PAC in Cisco TrustSec aut...

Page 207: ...ly configuring 3 11 manually mapping IP addresses 3 12 Subnet to SGT mapping 3 12 SXP configuration process 4 2 configuring 4 1 configuring peer connections 4 2 default passwords 4 4 description 1 13 enabling 4 2 reconcile period 4 5 retry period 4 5 source IP address 4 4 Syslog Messages C 4 System Error Messages C 4 T Troubleshooting SGACL and SGT behavior 7 25 TrustSec SGACLs 1 7 TrustSec See CT...

Page 208: ...Index IN 4 Cisco TrustSec Configuration Guide OL 22192 01 ...

Reviews: