Published On: August 5ᵗʰ, 2019 19:05
Release Notes for Cisco TrustSec General Availability Releases
Release Notes for Cisco TrustSec 1.99 General Deployability 2011 Release
Contents
The most current version of this document is available on Cisco.com at the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_crossplat.html
This document contains the following sections:
•
Cisco Validated Design
Documents
•TrustSec 1.99 Validated Cisco
Identity Based Networking Services (IBNS) Features
•Supported Hardware and Software
Introduction
The Cisco TrustSec 1.99 General Deployability 2011 Release validates the operation of TrustSec features with Cisco Identity Based Networking Services 4.0 (IBNS) features on the Catalyst Series switches.
The Cisco Validated Design (CVD) for the TrustSec 1.99 release provides deployment guidelines and best practices for proven network architectures in complex scenarios. The TrustSec 1.99 Baseline CVD is the list of qualified software images and the published design and deployment guides.
Cisco Validated Design Documents
All CVD documents can be obtained from the following URL:
http://www.cisco.com/go/designzone
The Cisco TrustSec 1.99 CVD documents can be obtained at the following URLs:
TrustSec Planning and Deployment
Checklist
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/TrustSec_Checklist/trustsec-199_checklist.html
TrustSec Phased Deployment Configuration
Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Phased_Deploy/Phased_Dep_Guide.html
Scenario-Based TrustSec Deployments
Application Note
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Scenario_based_AppNote/Scenario_based_AN.html
Wired 802.1X Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html
IP Telephony for 802.1X Design Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html
MAC Authentication Bypass Deployment
Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/MAB/MAB_Dep_Guide.html
Local WebAuth Deployment Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html
TrustSec 1.99 Deployment Note: FlexAuth
Order, Priority, and Failed Authentication
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/FlexAuthNote/flexauth-note.html
TrustSec 1.99 Validated Cisco Identity Based Networking Services (IBNS) Features
•802.1X Authentication
•MAC Authentication Bypass (MAB)
•Open Access
•Flexible Authentication
•Single-Host Mode
•Multi-Domain-Authentication (MDA) Host Mode
•Multi-Host Mode
•Multi-Auth Host Mode
•VLAN assignment
•Downloadable ACL (dACL)
•Inactivity timer (MAB and 802.1X)
•Local Web Authentication (LWA)
•Wake-on-LAN (WoL)
•CDP 2nd port disconnect
•Integration with DAI, IPSG, port security
•MDA with dynamic Voice VLAN assignment
•Filter ID
•RADIUS-supplied time out
•Guest VLAN, Auth-Fail VLAN
•RADIUS accounting
•Critical Port / Inaccessible Authentication Bypass
(IAB)
•Conditional logging/debugging on per port basis
Additonal Information on Cisco IBNS can be found at the following URL or in your switch configuration guide:
http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html
Supported Hardware and Software
For a complete table of features, platforms, IOS images, and servers that have been validated for the TrustSec 1.99 release, please see the Platform Support Matrix in the Cisco TrustSec 1.0 Product Bulletin at the following URL:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-616556.html
Important Notes
The following caveats citing Catalyst 3000 Series switch documentation are relevant to 802.1X configuration with Cisco TrustSec 1.99:
•CSCtl94043 Port Security blocks voice device from authenticating.
TrustSec Deployment Note: The Port Security feature is not recommended for TrustSec Endpoint Admission Control deployments (EAC). We recommend 802.1X Multi-Domain Authentication host mode (MDA) for TrustSec customers implementing ordinary 802.1X mode or implementing TrustSec Low Impact mode. For TrustSec Monitor Mode, we recommend configuring 802.1X Multi-Auth host mode.
•CSCtn43105 & CSCtn59023 strider_hacl_asic_pacl_load_into_tcam: 411: ...Not enough space for IP
TrustSec Deployment Note: For a TrustSec deployment, we recommend to create dACLs with as few ACE's as possible.
Downloadable Access Control Lists (dACL) are loaded into the switch's Ternary Content Addressable Memory (TCAM). The total TCAM space available for use varies between switch platforms, and is directly related to the ASICs of the switch. The number of dACLs used and the number of Access Control Entries (ACE's) used in a dACL depends on the available TCAM space on the switch. It is not possible to predict the available TCAM space on each ASIC at the time of authorization.
If the switch runs out of TCAM space on the ASIC where the dACL is being applied, the dACL is not applied successfully. Additionally, the Catalyst 2000 series switches are not currently sending any notification of the failed application of the dACL. (See caveat CSCtn59023).
•CSCtn20365 idle-timeout (attribute 28) not applied to authc sessions voice domain
TrustSec Deployment Note: With the exception of the dot1x timeout tx-period timer, we recommend to not make changes to default timers, unless those changes solve a specific problem, and the modifications have been thoroughly examined and tested. This caveat only applies if using the idle-timeout as required in the Voice Domain of the TrustSec deployment.
Caveats
Open Caveats - Trustsec 1.99 General Availability 2011 Release
Cisco Security Access Control Server (ACS)
Cisco Catalyst 3500 Series Switches
Cisco Catalyst 4500 Series Switches
|
Identifier
|
Technology
|
Software Release
|
Description
|
|---|---|---|---|
|
802.1X |
12.2(53)SG |
Account-term-cause reported as "0" after session expires and reauth fails. |
Cisco Catalyst 6500 Series Switches
Resolved Caveats
Cisco Catalyst 3500 Series Switches
Cisco Catalyst 6500 Series Switches
|
Identifier
|
Technology
|
Software Release
|
Description
|
|---|---|---|---|
|
802.1X |
12.2(33)SXI7 |
AUTHPROXY: info timestamp array size not the same as max-login-attempts |
Related Documentation
Release-Specific Documents
|
Release-Specific Document Title
|
TrustSec Topics
|
|---|---|
|
• • |
Platform-Specific Documents
|
Platform-specifc Document Title
|
TrustSec Topics
|
|---|---|
|
Catalyst 3000 Series Switches |
|
|
Open and resolved caveats |
|
|
Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE |
802.1x configuration procedures |
|
Catalyst 3750 Switch Software Configuration Guide, 12.2(52)SE |
|
|
Catalyst 4500 Series Switches |
|
|
Release Note for the Catalyst 4500 Series Switch, Cisco IOS, 12.2EW and 12.2SG |
Open and resolved caveats |
|
Catalyst 4500 Series Switch Software Configuration Guide, 12.2(53)SG |
802.1x configuration procedures |
|
Catalyst 6500 Series Switches |
|
|
Catalyst 6500 Series Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases |
Open and resolved caveats |
|
Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide |
802.1x configuration procedures |
|
Nexus 7000 Series Switches |
|
|
Open and resolved caveats |
|
|
• • |
|
|
Cisco Secure Access Control System |
|
|
Open and resolved caveats |
|
|
TrustSec configurations for Cisco ACS 5.1 and more recent |
|
Cisco IOS Software Documentation Set
|
Cisco IOS Document Title
|
TrustSec Topics
|
|---|---|
|
Cisco IOS Security Configuration Guide: Securing User Services |
802.1x configuration procedures |
|
Syntax and usage guidelines for TrustSec-specific and related commands |