Cisco TrustSec Network Device Admission Control

The Cisco TrustSec Network Device Admission Control (NDAC) feature creates an independent layer of trust between Cisco TrustSec devices to prohibit rogue devices from being allowed on the network.

Information About Cisco TrustSec Network Device Admission Control

Cisco TrustSec NDAC Authentication for an Uplink Interface

Cisco TrustSec NDAC authentication with 802.1X must be enabled on each uplink interface that connects to another Cisco TrustSec device.

How to Configure Cisco TrustSec Network Device Admission Control

Configuring AAA for Cisco TrustSec NDAC Devices

Configure authentication, authorization, and accounting (AAA) on both seed and non-seed Network Device Admission Control (NDAC) devices.

Configuring AAA on Cisco TrustSec Seed Devices

SUMMARY STEPS

    1.    enable

    2.    cts credentials id cts-id password cts-password

    3.    configure terminal

    4.    aaa new-model

    5.    aaa session-id common

    6.    radius server radius-server-name

    7.    address ipv4 {hostname | ipv4address} [acct-port port | alias {hostname | ipv4address} | auth-port port [acct-port port]]

    8.    pac key encryption-key

    9.    exit

    10.    radius-server vsa send authentication

    11.    aaa group server radius group-name

    12.    server name radius-server-name

    13.    exit

    14.    aaa authentication dot1x default group group-name

    15.    aaa authorization network default group group-name

    16.    aaa authorization network list-name group group-name

    17.    cts authorization list list-name

    18.    exit


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 cts credentials id cts-id password cts-password


    Example: 
    Device# cts credentials id CTS-One password cisco123
     

    Specifies the Cisco TrustSec ID and password of the network device.

     
    Step 3 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 4 aaa new-model


    Example: 
    Device(config)# aaa new-model
     

    Enables new RADIUS and AAA access control commands and functions and disables old commands.

     
    Step 5 aaa session-id common


    Example: 
    Device(config)# aaa session-id common
     

    Ensures that the same session identification (ID) information is used for each AAA accounting service type within a given call.

     
    Step 6 radius server radius-server-name


    Example: 
    Device(config)# radius server cts-aaa-server
     

    Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning and enters RADIUS server configuration mode.

     
    Step 7address ipv4 {hostname | ipv4address} [acct-port port | alias {hostname | ipv4address} | auth-port port [acct-port port]]


    Example: 
    Device(config-radius-server)# address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
     

    Configures the IPv4 address for the RADIUS server accounting and authentication parameters.

     
    Step 8pac key encryption-key


    Example: 
    Device(config-radius-server)# pac key cisco123
     

    Specifies the PAC encryption key.

     
    Step 9exit


    Example: 
    Device(config-radius-server)# exit
     

    Exits RADIUS server configuration mode and enters global configuration mode.

     
    Step 10radius-server vsa send authentication


    Example: 
    Device(config)# radius-server vsa send authentication
     

    Configures the network access server (NAS) to recognize and use only authentication vendor-specific attributes (VSAs).

     
    Step 11aaa group server radius group-name


    Example: 
    Device(config)# aaa group server radius cts_sg
     

    Groups different RADIUS server hosts into distinct lists and distinct methods and enters RADIUS group server configuration mode.

     
    Step 12server name radius-server-name


    Example: 
    Device(config-sg-radius)# server name cts-aaa-server
     

    Specifies a RADIUS server.

     
    Step 13exit


    Example: 
    Device(config-sg-radius)# exit
     

    Exits RADIUS group server configuration mode and enters global configuration mode.

     
    Step 14aaa authentication dot1x default group group-name


    Example: 
    Device(config)# aaa authentication dot1x default group cts_sg
     

    Specifies the RADIUS server to use for authentication on interfaces running IEEE 802.1X.

     
    Step 15aaa authorization network default group group-name


    Example: 
    Device(config)# aaa authorization network default group cts_sg
     

    Specifies that the RADIUS server method is the default method for authorization into a network.

     
    Step 16aaa authorization network list-name group group-name


    Example: 
    Device(config)# aaa authorization network cts-mlist group cts_sg
     

    Specifies that the RADIUS server method is part of the list of authorization methods to use for authorization into a network.

     
    Step 17cts authorization list list-name


    Example: 
    Device(config)# cts authorization list cts-mlist
     

    Specifies a list of AAA servers for the Cisco TrustSec seed device.

     
    Step 18exit


    Example: 
    Device(config)# exit
     

    Exits global configuration mode and returns to privileged EXEC mode.

     

    Configuring AAA on Cisco TrustSec Non-seed Devices

    SUMMARY STEPS

      1.    enable

      2.    cts credentials id cts-id password cts-password

      3.    configure terminal

      4.    aaa new-model

      5.    aaa session-id common

      6.    radius-server vsa send authentication

      7.    exit


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 cts credentials id cts-id password cts-password


      Example: 
      Device# cts credentials id CTS-One password cisco123
       

      Specifies the Cisco TrustSec ID and password of the network device.

       
      Step 3 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 4 aaa new-model


      Example: 
      Device(config)# aaa new-model
       

      Enables new RADIUS and AAA access control commands and functions and disables old commands.

       
      Step 5 aaa session-id common


      Example: 
      Device(config)# aaa session-id common
       

      Ensures that the same session identification (ID) information is used for each AAA accounting service type within a given call.

       
      Step 6radius-server vsa send authentication


      Example: 
      Device(config)# radius-server vsa send authentication
       

      Configures the network access server (NAS) to recognize and use only authentication vendor-specific attributes (VSAs).

       
      Step 7exit


      Example: 
      Device(config)# exit
       

      Exits global configuration mode and returns to privileged EXEC mode.

       

      Configuration Examples for Cisco TrustSec Network Device Admission Control

      Example: Configuring AAA for Cisco TrustSec NAC Devices

      Example: Configuring AAA on Cisco TrustSec Seed Devices

      Device> enable
Device# cts credentials id CTS-One password cisco123
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa session-id common
Device(config)# radius server cts-aaa-server
Device(config-radius-server)# address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
Device(config-radius-server)# pac key cisco123
Device(config-radius-server)# exit
Device(config)# radius-server vsa send authentication
Device(config)# aaa group server radius cts_sg
Device(config-sg-radius)# server name cts-aaa-server
Device(config-sg-radius)# exit
Device(config)# aaa authentication dot1x default group cts_sg
Device(config)# aaa authorization network default group cts_sg
Device(config)# aaa authorization network cts-mlist group cts_sg
Device(config)# cts authorization list cts-mlist
Device(config)# exit

      Example: Configuring AAA on Cisco TrustSec Non-seed Devices

      Device> enable
Device# cts credentials id CTS-One password cisco123
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa session-id common
Device(config)# radius-server vsa send authentication
Device(config)# exit

      Additional References

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Commands List, All Releases

      Security commands

      Cisco TrustSec and SXP configuration

      Cisco TrustSec Switch Configuration Guide

      IPsec configuration

      Configuring Security for VPNs with IPsec

      IKEv2 configuration

      Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site

      Cisco Secure Access Control Server

      Configuration Guide for the Cisco Secure ACS

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Cisco TrustSec Network Device Admission Control

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
      Table 1 Feature Information for Cisco TrustSec Network Device Admission Control

      Feature Name

      Releases

      Feature Information

      Cisco TrustSec Network Device Admission Control

      Cisco IOS XE Release 3.7E

      Cisco IOS XE Release 3.6E

      The Cisco TrustSec Network Device Admission Control (NDAC) feature creates an independent layer of trust between Cisco TrustSec devices to prohibit rogue devices from being allowed on the network.

      In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches.

      The following commands were introduced or modified: cts dot1x, propagate sgt (config-if-cts-dot1x) , sap mode-list, timer reauthentication.