Cisco Trustsec Feature Guide PDF
Cisco Trustsec Feature Guide PDF
Cisco Trustsec Feature Guide PDF
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
Cisco TrustSec Feature Guide
reSourCeS 26
TABLE OF CONTENTS
Configuring ......................................................... 12
Contents Conf iguring Cisco Dev ices to Integrate with Cisco TrustSec..................12
Introduction .......................................................... 5 Conf iguring Cisco TrustSec Credentials on the Dev ice.........................14
About Cisco TrustSec ...................................................................... 5 Conf iguring RADIUS Attributes on ISE ..............................................15
Cisco TrustSec Overview........................................ 6 Conf iguring Env ironment Data on ISE ...............................................16
Cisco TrustSec Dev ice Enrollment ..................................................... 7 Creating a Security Group on Cisco ISE ............................................17
PAC Ov erv iew ................................................................................ 8 Downloa ding the SGACL Policy on to the Dev ice ................................18
License ........................................................................................ 11
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Overview establishing a domain of trusted devices. Communication on the links
With enterprises transitioning to borderless networks, the between devices in the Cisco TrustSec cloud is secured with a combination
technology that connects people and organizations, and the security of encryption, message integrity checks, and data-path replay protection
requirements for protecting data and networks have evolved mechanism. Cisco TrustSec also uses the device and user identity
significantly. End points are increasingly nomadic and users often information acquired during authentication to classify the packets as they
employ a variety of end points (for example, laptops, smart phones, enter a network.
tablets and so on), which means that a combination of user
This packet classification is maintained by tagging packets on the ingress
attributes plus end-point attributes provide the key characteristics
interface to the Cisco TrustSec network so that they can be correctly
that enforcement devices such as switches and routers with
identified for the purpose of applying security and other policy criteria
firewalls can reliably use to make access control decisions.
along the data path. The Tag, also called Security Group Tag (SGT), allows
As a result, the availability and propagation of end point attributes the network to enforce the access control policy by enabling the endpoint
or client identity attributes have become important requirements to device to act upon the SGT value to filter the traffic.
enable security across the customer networks—at the access,
For more information about Cisco TrustSec, see
distribution, and core layers of the network, and in the data center.
http://www.cisco.com/go/trustsec.
Cisco TrustSec provides access control that builds upon an existing
identity-aware infrastructure to ensure data confidentiality between
network devices and integrate security access services on one
platform. With Cisco TrustSec, enforcement devices use a
combination of user attributes and end-point attributes to make
role-based and identity-based access control decisions. The
availability and propagation of this information enables security
across networks at the access, distribution, and core layers of the
network.
The Cisco TrustSec security architecture builds secure networks by
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Device Enrollment and a server. Shared secrets are used to verify that RADIUS messages are
Any device that participates in the Cisco TrustSec network sent by a RADIUS-enabled device that is configured with the same shared
requires it to be authenticated and trusted. New devices that secret. Shared secrets also verify that the RADIUS message has not been
connect to the network use an enrollment process to obtain modified in transit (message integrity). The message integrity is checked
Cisco TrustSec authentication credentials and receive general by including the Message Authenticator attribute in the RADIUS messages.
information about the TrustSec environment to facilitate the This attribute is a Hash-based Message Authentication Code-Message
authentication process. Device enrollment can happen either Digest 5 (HMAC-MD5) of the entire radius message using the shared secret
directly with an Authentication Server (AS) provided the device as the key. The shared secret is also used to encrypt some RADIUS
has Layer 3 connectivity to the AS or through a peer attributes, such as User-Password and Tunnel-Password.
Authenticator (AT) device, such as a switch or router that
facilitates enrollment with an AS. EAP-FAST
Access switches or routers are the authentication points in typical
branch access scenarios and have direct connectivity to the AS. EAP-FAST is a publicly accessible IEEE 802.1X extensible authentication
They authenticate endpoints through EAP-FAST for dynamic PAC protocol type that is used to support customers who cannot enforce a
provisioning or RADIUS and EAP exchange. When endpoints are strong password policy. EAP-FAST is used for the following reasons:
successfully authenticated, they receive user-specific AAA Digital certificates are not required.
attributes that include the SGT, which in turn is relayed to a A variety of database types for usernames and passwords are
switch using SGT Exchange Protocol (SXP). The switch initiates supported.
EAP-FAST Phase 0 exchange with the available AS and obtains a Password expiration and change are supported.
PAC. This is accomplished by a local PAC-provisioning driver, EAP-FAST is flexible, easy to deploy and manage.
which acts as a pass-through authenticator to the supplicant EAP-
FAST engine running on the switch. Note: Lightweight Directory Access Protocol (LDAP) users cannot be
automatically PAC provisioned and must be manually provisioned.
Secure RADIUS EAP-FAST comprises of three basic phases, but only Phase 0 is supported.
The RADIUS protocol requires a secret to be shared between a client Phase 0 initially distributes the PAC to the client device.
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
PAC Overview
The PAC is a unique shared credential used to mutually authenticate
the client and server. It is associated with a specific client username and
a server authority identifier (A-ID). A PAC removes the need for Public
Key Infrastructure (PKI) and digital certificates.
Fig ur e 1 EA P-FA ST
Creating a PAC consists of the following steps:
PAC Overview
5. Server A-ID maintains a local key (master key) that is only known by
The PAC is a unique shared credential used to mutually the server.
authenticate the client and server. It is associated with a specific
client username and a server authority identifier (A-ID). A PAC 6. When a client, which is referred to in this context as an initiator
removes the need for Public Key Infrastructure (PKI) and digital identity (I-ID), requests a PAC from the server, the server generates a
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
randomly unique PAC key and PAC-Opaque field for this client. Security Group Access (SGA) architecture provides group based access-
control using Security Group Tags (SGTs). SGTs are used to tag user traffic
7. The PAC-Opaque field contains the randomly generated PAC key
along with other information such as an I-ID and key lifetime. with role and identity information, which is carried throughout the
network and used by devices in the network for policy control.
8. PAC Key, I-ID, and Lifetime in the PAC-Opaque field are
SGTs allow enterprises to build simple role-based access policies that are
encrypted with the master key.
topology-independent and provide operational flexibility compared to
9. A PAC-Info field that contains the A-ID is created. downloadable access control lists (ACLs). Additionally, specific resources
10. The PAC is distributed or imported to the client automatically. that are being accessed can be grouped into security groups to simplify
operations.
Note: The server does not maintain the PAC or the PAC key,
enabling the EAP-FAST server to be stateless. SGTs are unique 16-bit tags assigned to a unique role, which represents
privilege of the source user, device or entity. They are tagged at the
The figure below describes the PAC's construction. A PAC consists of ingress of a TrustSec domain and filtered at the egress of the TrustSec
the PAC-Opaque, PAC Key, and PAC-Info fields. The PAC-Info field domain via Security Group access control lists (SGACLs). Policies (Policy
contains the A-ID. ACLs) are distributed from a central policy server (Cisco Integrated
Services Engine) or can be configured locally on the TrustSec device.
Security Group Policy Enforcement
Security policy enforcement is based on security group name. An end-
point device attempts to access a resource in the data center. Compared
to traditional IP-based policies configured on firewalls, identity-based
policies are configured based on user and device identities. For example,
mktg-contractor is allowed to access mktg-servers; mktg-corp-users are
allowed to access mktg-server and corp-servers.
Fig ur e 2 PA C for Ser v er A uthor ity
The benefits of this type of deployment include:
Security Access Group Overview
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
User group and resource are defined and enforced using single The Cisco device can use the IP-SGT mapping for policy enforcement
object (SGT) simplified policy management. across the Cisco TrustSec domain.
User identity and resource identity are retained throughout the Deployment simplification is possible because 802.1x authorization for
Cisco TrustSec-capable switch infrastructure. servers is mandatory.
This figure shows a deployment for security group name-based Security Group Tag Overview
policy enforcement. Security group access transforms a topology-aware network into a role-
based network, which enables end-to-end policies enforced on the basis of
role-based access control list (RBACL). Device and user credentials
acquired during authentication are used to classify packets by security
groups. Every packet entering the Cisco TrustSec cloud is tagged with a
security group tag (SGT). The tagging helps trusted intermediaries identify
the source of the packet and enforce security policies along the data path.
An SGT can indicate a privilege level across the domain when the SGT is
used to define a security group ACL.
An SGT is assigned to a device through IEEE 802.1X authentication, web
authentication, or MAC authentication bypass (MAB), which occurs with a
Fig ur e 3 Secur ity G r oup Nam e -Based Policy Enfor cem ent RADIUS vendor-specific attribute. An SGT can be assigned statically to a
particular IP address or to a switch interface. An SGT is dynamically routed
Implementing Cisco TrustSec allows you to configure security to a switch or access point after successful authentication.
policies that support server segmentation and includes the following
features:
A pool of servers can be assigned an SGT for simplified policy
management.
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Configuring
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
The following example shows the Cisco Tr ustSec cr edentials configur ation: Configuring RADIUS Server on the Device
Device# cts credentials id Device_8 password password1
Fig ur e 6 ISE A uthentication Setting s Pag e
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
0-00:Unknown 25-00:SGT_25
2-5d:SGT_2 26-00:SGT_26
3-00:SGT_3 27-00:SGT_27
4-00:SGT_4 28-00:SGT_28
29-00:SGT_29
5-00:SGT_5
30-00:SGT_30
6-00:SGT_6
Environment Data Lifetime = 3600 secs
7-00:SGT_7
8-00:SGT_8 Last update time = 14:02:31 IST Tue Mar 22 2016
13-00:SGT_13
14-00:SGT_14
15-00:SGT_15
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
stale = FALSE
Use the show cts role-based permissions command to verify the
assigned role-based permissions. RBACL ACEs:
stale = FALSE
RBACL ACEs:
permit ip
Use the show cts role-based sgt-map all command to display all the
configured SGT maps.
Device# show cts role-based sgt-map all
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.
`
Cisco TrustSec Feature Guide | © 2016 Cisco and/or its affiliates. All rights reserved.