Published On: August 5ᵗʰ, 2019 19:04
Cisco TrustSec Switch Configuration Guide
Configuring Endpoint Admission Control
This chapter contains the following sections:
- Information About Endpoint Admission Control
- Basic EAC Configuration Sequence
- 802.1X Authentication Configuration
- MAC Authentication Bypass Configuration
- Web Authentication Proxy Configuration
- Flexible Authentication Sequence and Failover Configuration
- 802.1X Host Modes
- Pre-Authentication Open Access
- DHCP Snooping and SGT Assignment
- Cisco TrustSec Endpoint Access Control Feature Histories
Information About Endpoint Admission Control
In TrustSec networks, packets are filtered at the egress, not the ingress to the network. In TrustSec endpoint authentication, a host accessing the TrustSec domain (endpoint IP address) is associated with a Security Group Tag (SGT) at the access device through DHCP snooping and IP device tracking. The access device transmits that association (binding) through SXP-to-TrustSec hardware-capable egress devices, which maintain a continually updated table of Source IP to SGT bindings. Packets are filtered on egress by the TrustSec hardware-capable devices by applying security group ACLS (SGACLs).
Endpoint Admission Control (EAC) access methods for authentication and authorization can include the following:
All port-based authentication can be enabled with the authentication command. Each access method must be configured individually per port. The flexible authentication sequence and failover features permit the administrator to specify the failover and fallback sequence when multiple authentication modes are configured and the active method fails. The 802.1X host mode determines how many endpoint hosts can be attached per 802.1X port.
Basic EAC Configuration Sequence
1.
Configure the Cisco Secure ACS to provision SGTs to
authenticated endpoint hosts.
2. Enable SXP on access switches. See the chapter,
“Configuring SGT Exchange Protocol.”
3. Enable any combination of 802.1X, MAB, or WebAuth
authentication methods on the access switch.
802.1X Authentication Configuration
The following example shows the basic 802.1x configuration on a Gigabit Ethernet port:
MAC Authentication Bypass Configuration
MAC Authentication Bypass (MAB) enables hosts or clients that are not 802.1X capable to join 802.1X-enabled networks. It is not required to enable 802.1X authentication prior to enabling MAB.
The following example is a basic MAB configuration on a Catalyst switch:
For additional information on configuring MAB authentication, see the configuration guide for your access switch.
Web Authentication Proxy Configuration
Web Authentication Proxy (WebAuth) allows the user to use a web browser to transmit their login credentials to the Cisco Secure ACS though a Cisco IOS web server on the access device. WebAuth can be enabled independently. It does not require 802.1X or MAB to be configured.
The following example shows a basic WebAuth configuration on a Gigabit Ethernet port:
Verifying Web Authentication Proxy Configuration
To verify the Web Authentication Proxy configuration, access the interface IP address with a web browser. If configured correctly, the access device generates a challenge and accepts valid login information.
To verify the Web Authentication proxy configuration with the CLI, use the show authentication interface command.
Flexible Authentication Sequence and Failover Configuration
Flexible Authentication Sequence (FAS) allows the access port to be configured for 802.1X, MAB, and WebAuth authentication methods, specifying the fallback sequence if one or more of the authentication methods are not available. The default failover sequence is as follows:
Layer 2 authentications always occur before Layer 3 authentications. That is, 802.1X and MAB must occur before WebAuth.
The following example specifies the authentication sequence as MAB, dot1X, and then WebAuth.
For additional information on FAS, see the Cisco document, Flexible Authentication Order, Priority, and Failed Authentication at the following URL:
http://www.ciscosystems.com.pe/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html
Pre-Authentication Open Access
The Pre-Authentication Open Access feature allows clients and devices to gain network access before port authentication is performed. This process is primarily required for the PXE boot scenario, where a device needs to access the network before PXE times out and download a bootable image that may contain a supplicant.
DHCP Snooping and SGT Assignment
After the authentication process, authorization of the device occurs (for example, dynamic VLAN assignment, ACL programming, etc.). For TrustSec networks, a Security Group Tag (SGT) is assigned per the user configuration in the Cisco ACS. The SGT is bound to traffic sent from that endpoint through DHCP snooping and the IP device tracking infrastructure.
The following example enables DHCP snooping and IP device tracking on an access switch:
Verifying the SGT to Endpoint Host Binding
To verify that hosts are visible to DHCP Snooping and IP Device Tracking, use the show ip dhcp snooping binding and show ip device tracking commands.
To verify that the correct SGT is bound to an endpoint IP address, use the show cts role-based sgt-map command.
Cisco TrustSec Endpoint Access Control Feature Histories
For a list of supported platforms, supported
features, and the minimum required IOS releases, see
the Cisco TrustSec Platform Support Matrix at the
following URL:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Otherwise, see product release notes for detailed feature introduction information.