The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco TrustSec Network Device Admission Control (NDAC) feature creates an independent layer of trust between Cisco TrustSec devices to prohibit rogue devices from being allowed on the network.
Cisco TrustSec NDAC authentication with 802.1X must be enabled on each uplink interface that connects to another Cisco TrustSec device.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
cts credentials id cts-id password cts-password Example: |
Specifies the Cisco TrustSec ID and password of the network device. |
| Step 3 |
configure terminal Example: |
Enters global configuration mode. |
| Step 4 |
aaa new-model Example: |
Enables new RADIUS and AAA access control commands and functions and disables old commands. |
| Step 5 |
aaa session-id common Example: |
Ensures that the same session identification (ID) information is used for each AAA accounting service type within a given call. |
| Step 6 |
radius server radius-server-name Example: |
Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning and enters RADIUS server configuration mode. |
| Step 7 |
address ipv4 {hostname | ipv4address} [acct-port port | alias {hostname | ipv4address} | auth-port port [acct-port port]] Example: |
Configures the IPv4 address for the RADIUS server accounting and authentication parameters. |
| Step 8 |
pac key encryption-key Example: |
Specifies the PAC encryption key. |
| Step 9 |
exit Example: |
Exits RADIUS server configuration mode and enters global configuration mode. |
| Step 10 |
radius-server vsa send authentication Example: |
Configures the network access server (NAS) to recognize and use only authentication vendor-specific attributes (VSAs). |
| Step 11 |
aaa group server radius group-name Example: |
Groups different RADIUS server hosts into distinct lists and distinct methods and enters RADIUS group server configuration mode. |
| Step 12 |
server name radius-server-name Example: |
Specifies a RADIUS server. |
| Step 13 |
exit Example: |
Exits RADIUS group server configuration mode and enters global configuration mode. |
| Step 14 |
aaa authentication dot1x default group group-name Example: |
Specifies the RADIUS server to use for authentication on interfaces running IEEE 802.1X. |
| Step 15 |
aaa authorization network default group group-name Example: |
Specifies that the RADIUS server method is the default method for authorization into a network. |
| Step 16 |
aaa authorization network list-name group group-name Example: |
Specifies that the RADIUS server method is part of the list of authorization methods to use for authorization into a network. |
| Step 17 |
cts authorization list list-name Example: |
Specifies a list of AAA servers for the Cisco TrustSec seed device. |
| Step 18 |
exit Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
cts credentials id cts-id password cts-password Example: |
Specifies the Cisco TrustSec ID and password of the network device. |
| Step 3 |
configure terminal Example: |
Enters global configuration mode. |
| Step 4 |
aaa new-model Example: |
Enables new RADIUS and AAA access control commands and functions and disables old commands. |
| Step 5 |
aaa session-id common Example: |
Ensures that the same session identification (ID) information is used for each AAA accounting service type within a given call. |
| Step 6 |
radius-server vsa send authentication Example: |
Configures the network access server (NAS) to recognize and use only authentication vendor-specific attributes (VSAs). |
| Step 7 |
exit Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
Device> enable
Device# cts credentials id CTS-One password cisco123
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa session-id common
Device(config)# radius server cts-aaa-server
Device(config-radius-server)# address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
Device(config-radius-server)# pac key cisco123
Device(config-radius-server)# exit
Device(config)# radius-server vsa send authentication
Device(config)# aaa group server radius cts_sg
Device(config-sg-radius)# server name cts-aaa-server
Device(config-sg-radius)# exit
Device(config)# aaa authentication dot1x default group cts_sg
Device(config)# aaa authorization network default group cts_sg
Device(config)# aaa authorization network cts-mlist group cts_sg
Device(config)# cts authorization list cts-mlist
Device(config)# exit
Device> enable
Device# cts credentials id CTS-One password cisco123
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa session-id common
Device(config)# radius-server vsa send authentication
Device(config)# exit
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Security commands |
|
|
Cisco TrustSec and SXP configuration |
|
|
IPsec configuration |
|
|
IKEv2 configuration |
Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site |
|
Cisco Secure Access Control Server |
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Cisco TrustSec Network Device Admission Control |
Cisco IOS 12.2(33)SXI Cisco IOS 15.1(1)SY |
The Cisco TrustSec Network Device Admission Control (NDAC) feature creates an independent layer of trust between Cisco TrustSec devices to prohibit rogue devices from being allowed on the network. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. The following commands were introduced or modified: cts dot1x , propagate sgt (config-if-cts-dot1x) , sap mode-list , timer reauthentication . |
Feedback