Cisco Trustsec Security Architecture - Cisco Catalyst 4500 Series Configuration Manual

Security Features
•
•
•
•
•
•
•
•
•
For more information on 802.1X identity-based network security, see
Port-Based Authentication."

Cisco TrustSec Security Architecture

The Cisco TrustSec security architecture builds secure networks by establishing domains of trusted
network devices. Each device in the domain is authenticated by its peers. Communication on the links
between devices in the domain is secured with a combination of encryption, message integrity check,
and data-path replay protection mechanisms. Cisco TrustSec uses the device and user credentials
acquired during authentication for classifying the packets by security groups (SGs) as they enter the
network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec
network so that they can be properly identified for the purpose of applying security and other policy
criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce
the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
1-32
802.1X with MAC Authentication Bypass—Provides network access to agentless devices without
802.1X supplicant capabilities, such as printers. Upon detecting a new MAC address on a switch
port, the Catalyst 4500 series switch will proxy an 802.1X authentication request based on the
device's MAC address.
802.1X with RADIUS-Provided Session Timeouts—Allows you to specify whether a switch uses a
locally configured or a RADIUS-provided reauthentication timeout.
802.1X with Unidirectional Controlled Port—Allows the Wake-on-LAN (WoL) magic packets to
reach a workstation attached to an unauthorized 802.1X switch port. Unidirectional Controlled Port
is typically used to send operating systems or software updates from a central server to workstations
at night.
802.1X with Violation Mode—This feature allows you to configure 802.1X security violation
behavior as either shutdown, restrict, or replace mode, based on the response to the violation.
802.1X with VLAN assignment—This feature allows you to enable non-802.1X-capable hosts to
access networks that use 802.1X authentication.
802.1X with VLAN user distribution—An alternative to dynamically assigning a VLAN ID or a
VLAN name, this feature assign a VLAN Group name. It enables you to distribute users belonging
to the same group (and characterized by a common VLAN Group name) across multiple VLANs.
Ordinarily, you do this to avoid creating an overly large broadcast domain.
802.1X with Voice VLAN—This feature allows you to use 802.1X security on a port while enabling
it to be used by both Cisco IP phones and devices with 802.1X supplicant support.
Multi-Domain Authentication—This feature allows both a data device and a voice device, such as
an IP phone (Cisco or non-Cisco), to authenticate on the same switch port, which is divided into a
data domain and a voice domain.
RADIUS Change of Authorization—This feature employs Change of Authorization (CoA)
extensions defined in RFC 5176 in a push model to allow for the dynamic reconfiguring of sessions
from external authentication, authorization, and accounting (AAA) or policy servers.
Chapter 1 Product Overview
Chapter 44, "Configuring 802.1X
OL-25340-01