The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco TrustSec Network Device Admission Control (NDAC) feature creates an independent layer of trust between Cisco TrustSec devices to prohibit rogue devices from being allowed on the network.
Cisco TrustSec NDAC authentication with 802.1X must be enabled on each uplink interface that connects to another Cisco TrustSec device.
1.
enable
2.
cts credentials id
cts-id
password
cts-password
3.
configure
terminal
4.
aaa new-model
5.
aaa session-id
common
6.
radius server
radius-server-name
7.
address ipv4 {hostname |
ipv4address} [acct-port
port |
alias {hostname |
ipv4address} |
auth-port
port [acct-port
port]]
8.
pac key
encryption-key
9.
exit
10.
radius-server vsa send
authentication
11.
aaa group server
radius
group-name
12.
server name
radius-server-name
13.
exit
14.
aaa authentication dot1x
default group
group-name
15.
aaa authorization network
default
group
group-name
16.
aaa authorization
network
list-name
group
group-name
17.
cts authorization
list
list-name
18.
exit
1.
enable
2.
cts credentials id
cts-id
password
cts-password
3.
configure
terminal
4.
aaa new-model
5.
aaa session-id
common
6.
radius-server vsa send
authentication
7.
exit
Device> enable Device# cts credentials id CTS-One password cisco123 Device# configure terminal Device(config)# aaa new-model Device(config)# aaa session-id common Device(config)# radius server cts-aaa-server Device(config-radius-server)# address ipv4 192.0.2.1 auth-port 1812 acct-port 1813 Device(config-radius-server)# pac key cisco123 Device(config-radius-server)# exit Device(config)# radius-server vsa send authentication Device(config)# aaa group server radius cts_sg Device(config-sg-radius)# server name cts-aaa-server Device(config-sg-radius)# exit Device(config)# aaa authentication dot1x default group cts_sg Device(config)# aaa authorization network default group cts_sg Device(config)# aaa authorization network cts-mlist group cts_sg Device(config)# cts authorization list cts-mlist Device(config)# exit
Device> enable Device# cts credentials id CTS-One password cisco123 Device# configure terminal Device(config)# aaa new-model Device(config)# aaa session-id common Device(config)# radius-server vsa send authentication Device(config)# exit
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Cisco TrustSec and SXP configuration |
|
IPsec configuration |
|
IKEv2 configuration |
Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site |
Cisco Secure Access Control Server |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Cisco TrustSec Network Device Admission Control |
Cisco IOS 15.0(1)SE Cisco IOS 15.1(1)SG Cisco IOS 15.2(3)E |
The Cisco TrustSec Network Device Admission Control (NDAC) feature creates an independent layer of trust between Cisco TrustSec devices to prohibit rogue devices from being allowed on the network. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. The following commands were introduced or modified: cts dot1x, propagate sgt (config-if-cts-dot1x) , sap mode-list, timer reauthentication. |