Cisco TrustSec Switch Configuration Guide
Configuring Identities and Connections
Download this chapter
Configuring Identities and Connections Configuring Identities and Connections
Download the complete book
Cisco TrustSec Configuration GuideCisco TrustSec Configuration Guide (PDF - 2 MB)
give_us_feedback

Table Of Contents

Configuring Identities, Connections, and SGTs

Configuring Credentials and AAA for a Cisco TrustSec Seed Device

Configuring Credentials and AAA for a Cisco TrustSec Non-Seed Device

Enabling Cisco TrustSec Authentication in 802.1X Mode on an Uplink Port

Configuring Cisco TrustSec Authentication in Manual Mode on an Uplink Port

Regenerating SAP Key on an Interface

Verifying the Cisco TrustSec Interface Configuration

Manually Configuring a Device SGT

Manually Configuring IP-Address-to-SGT Mapping

Displaying IP-Address-to-SGT Mappings

Configuring Additional Authentication Server-Related Parameters

Automatically Configuring a New or Replacement Password with the Authentication Server


Configuring Identities, Connections, and SGTs

Revised: February 10, 2012, OL-22192-02

This section includes the following topics:

Configuring Credentials and AAA for a Cisco TrustSec Seed Device

Configuring Credentials and AAA for a Cisco TrustSec Non-Seed Device

Enabling Cisco TrustSec Authentication in 802.1X Mode on an Uplink Port

Configuring Cisco TrustSec Authentication in Manual Mode on an Uplink Port

Regenerating SAP Key on an Interface

Verifying the Cisco TrustSec Interface Configuration

Manually Configuring a Device SGT

Manually Configuring IP-Address-to-SGT Mapping

Displaying IP-Address-to-SGT Mappings

Manually Configuring a Device SGT

Automatically Configuring a New or Replacement Password with the Authentication Server

Configuring Credentials and AAA for a Cisco TrustSec Seed Device

A Cisco TrustSec-capable device that is directly connected to the authentication server, or indirectly connected but is the first device to begin the TrustSec domain, is called the seed device. Other Cisco TrustSec network devices are non-seed devices.

To enable NDAC and AAA on the seed switch so that it can begin the Cisco TrustSec domain, perform these steps:

Release
Feature History

12.2 (33) SXI3

This command was introduced on the Catalyst 6500 series switches.

12.2 (50) SG7

This command was introduced on the Catalyst 4000 series switches.

12.2 (53) SE2

This command was introduced on the Catalyst 3750(E), 3560(E) and 3750(X) series switches (without vrf or IPv6 support).


 
Command
Purpose

Step 1 

Router# cts credentials id device-id password password

Specifies the Cisco TrustSec device ID and password for this switch to use when authenticating with other Cisco TrustSec devices with EAP-FAST. The device-id argument has a maximum length of 32 characters and is case sensitive.

Step 2 

Router# configure terminal

Enters global configuration mode.

Step 3 

Router(config)# aaa new-model

Enables AAA.

Step 4 

Router(config)# aaa authentication dot1x default group radius

Specifies the 802.1X port-based authentication method as RADIUS.

Step 5 

Router(config)# aaa authorization network mlist group radius

Configures the switch to use RADIUS authorization for all network-related service requests.

mlist—The Cisco TrustSec AAA server group.

Step 6 

Router(config)# cts authorization list mlist

Specifies a Cisco TrustSec AAA server group. Non-seed devices will obtain the server list from the authenticator.

Step 7 

Router(config)# aaa accounting dot1x default start-stop group radius

Enables 802.1X accounting using RADIUS.

Step 8 

Router(config)# radius-server host ip-addr auth-port 1812 acct-port 1813 pac key secret

Specifies the RADIUS authentication server host address, service ports, and encryption key.

ip-addr—The IP address of the authentication server.

secret—The encryption key shared with the authentication server.

Step 9 

Router(config)# radius-server vsa send authentication

Configures the switch to recognize and use vendor-specific attributes (VSAs) in RADIUS Access-Requests generated by the switch during the authentication phase.

Step 10 

Router(config)# dot1x system-auth-control

Globally enables 802.1X port-based authentication.

Step 11 

Router(config)# exit

Exits configuration mode.

Note You must also configure the Cisco TrustSec credentials for the switch on the Cisco Secure ACS (see the Configuration Guide for the Cisco Secure ACS).

This example shows how to configure AAA for a Cisco TrustSec seed device: 

Router# cts credentials id Switch1 password Cisco123

Router# configure terminal

Router(config)# aaa new-model

Router(config)# aaa authentication dot1x default group radius

Router(config)# aaa authorization network MLIST group radius

Router(config)# cts authorization list MLIST

Router(config)# aaa accounting dot1x default start-stop group radius

Router(config)# radius-server host 10.20.3.1 auth-port 1812 acct-port 1813 pac key AbCe1234

Router(config)# radius-server vsa send authentication

Router(config)# dot1x system-auth-control

Router(config)# exit

Configuring Credentials and AAA for a Cisco TrustSec Non-Seed Device

Release
Feature History

12.2(33) SXI3

This feature was introduced on the Catalyst 6500 series switches.

IOS-XE 3.3.0 SG

This feature was introduced on the Catalyst 4000 series switches.

15.0(1)SE

This feature was introduced on the Catalyst 3750(E) , 3560(E) and 3750(X) series switches.


To enable NDAC and AAA on a non-seed switch so that it can join the Cisco TrustSec domain, perform these steps:

 
Command
Purpose

Step 1 

Router# cts credentials id device-id password password

Specifies the Cisco TrustSec device ID and password for this switch to use when authenticating with other Cisco TrustSec devices with EAP-FAST. The device-id argument has a maximum length of 32 characters and is case sensitive.

Step 2 

Router# configure terminal

Enters global configuration mode.

Step 3 

Router(config)# aaa new-model

Enables AAA.

Step 4 

Router(config)# aaa authentication dot1x default group radius

Specifies the 802.1X port-based authentication method as RADIUS.

Step 5 

Router(config)# aaa authorization network mlist group radius

Configures the switch to use RADIUS authorization for all network-related service requests.

mlist—Specifies a Cisco TrustSec AAA server group.

Step 6 

Router(config)# aaa accounting dot1x default start-stop group radius

Enables 802.1X accounting using RADIUS.

Step 7 

Router(config)# radius-server vsa send authentication

Configures the switch to recognize and use vendor-specific attributes (VSAs) in RADIUS Access-Requests generated by the switch during the authentication phase.

Step 8 

Router(config)# dot1x system-auth-control

Globally enables 802.1X port-based authentication.

Step 9 

Router(config)# exit

Exits configuration mode.

Note You must also configure the Cisco TrustSec credentials for the switch on the Cisco Secure ACS (see the Configuration Guide for the Cisco Secure ACS).

This example shows how to configure AAA for Cisco TrustSec on a non-seed device: 

Router# cts credentials id Switch2 password Cisco123

Router# configure terminal

Router(config)# aaa new-model

Router(config)# aaa authentication dot1x default group radius

Router(config)# aaa authorization network MLIST group radius

Router(config)# aaa accounting dot1x default start-stop group radius

Router(config)# radius-server vsa send authentication

Router(config)# dot1x system-auth-control

Router(config)# exit

Enabling Cisco TrustSec Authentication in 802.1X Mode on an Uplink Port

Release
Feature History

12.2(33) SXI3

This feature was introduced on the Catalyst 6500 series switches.

IOS-XE 3.3.0 SG

This feature was introduced on the Catalyst 4000 series switches.

15.0(1)SE

This feature was introduced on the Catalyst 3750(X) series switches


You must enable Cisco TrustSec authentication on each interface that will connect to another Cisco TrustSec device. To configure Cisco TrustSec authentication with 802.1X on an uplink interface to another Cisco TrustSec device, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# interface type slot/port

Enters interface configuration mode for the uplink interface.

Step 3 

Router(config-if)# cts dot1x

Configures the uplink interface to perform NDAC authentication.

Step 4 

Router(config-if-cts-dot1x)# [no] sap mode-list mode1 [mode2 [mode3 [mode4]]]

(Optional) Configures the SAP operation mode on the interface. The interface will negotiate with the peer for a mutually-acceptable mode. List the acceptable modes in your order of preference. Choices for mode are:

gcm— Authentication and encryption

gmac— Authentication, no encryption

no-encap— No encapsulation

null— Encapsulation, no authentication,
no encryption

Note If the interface is not capable of SGT insertion or data link encryption, no-encap is the default and the only available SAP operating mode.

Step 5 

Router(config-if-cts-dot1x)# [no] timer reauthentication seconds

(Optional) Configures a reauthentication period to be used if the authentication server does not specify a period. If no reauthentication period is specified, the default period is 86400 seconds.

Step 6 

Router(config-if-cts-dot1x)# [no] propagate sgt

(Optional) The no form of this command is used when the peer is incapable of processing an SGT. The no propagate sgt command prevents the interface from transmitting the SGT to the peer.

Step 7 

Router(config-if-cts-dot1x)# exit

Exits Cisco TrustSec 802.1X interface configuration mode.

Step 8 

Router(config-if)# shutdown

Disables the interface.

Step 9 

Router(config-if)# no shutdown

Enables the interface and enables Cisco TrustSec authentication on the interface.

Step 10 

Router(config-if)# exit

Exits interface configuration mode.

This example shows how to enable Cisco TrustSec authentication in 802.1X mode on an interface using GCM as the preferred SAP mode; the authentication server did not provide a reauthentication timer: 

Router# configure terminal

Router(config)# interface gi2/1

Router(config-if)# cts dot1x 

Router(config-if-cts-dot1x)# sap mode-list gcm null no-encap 

Router(config-if-cts-dot1x)# timer reauthentication 43200

Router(config-if-cts-dot1x)# exit 

Router(config-if)# shutdown

Router(config-if)# no shutdown

Router(config-if)# exit 

Router(config)# exit

Configuring Cisco TrustSec Authentication in Manual Mode on an Uplink Port

Release
Feature History

IOS 12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.

IOS-XE 3.3.0 SG

This feature was introduced on the Catalyst 4000 series switches.

IOS 15.0(1) SE

This feature was introduced on the Catalyst 3750(X) series switches


You can manually configure Cisco TrustSec on an interface if your switch does not have access to an authentication server or if 802.1X authentication is not needed. You must manually configure the interfaces on both ends of the connection.

To manually configure Cisco TrustSec on an uplink interface to another Cisco TrustSec device, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# interface type slot/port

Enters interface configuration mode for the uplink interface.

Step 3 

Router(config-if)# cts manual

Enters Cisco TrustSec manual configuration mode.

Step 4 

Router(config-if-cts-manual)# [no] sap pmk key [mode-list mode1 [mode2 [mode3 [mode4]]]]

(Optional) Configures the SAP pairwise master key (PMK) and operation mode. SAP is disabled by default in Cisco TrustSec manual mode.

key—A hexadecimal value with an even number of characters and a maximum length of 32 characters.

The SAP operation mode options are:

gcm— Authentication and encryption

gmac— Authentication, no encryption

no-encap— No encapsulation

null— Encapsulation, no authentication or encryption

Note If the interface is not capable of SGT insertion or data link encryption, no-encap is the default and the only available SAP operating mode.

Step 5 

Router(config-if-cts-manual)# [no] policy dynamic identity peer-name

(Optional) Configures Identity Port Mapping (IPM) to allow dynamic authorization policy download from authorization server based on the identity of the peer. See the additional usage notes following this task.

peer-name—The Cisco TrustSec device ID for the peer device. The peer name is case sensitive.

Note Ensure that you have configured the Cisco TrustSec credentials (see "Configuring Credentials and AAA for a Cisco TrustSec Seed Device" section).

Router(config-if-cts-manual)# [no] policy static sgt tag [trusted]

(Optional) Configures a static authorization policy. See the additional usage notes following this task.

tag—The SGT in decimal format. The range is 1 to 65533.

trusted—Indicates that ingress traffic on the interface with this SGT should not have its tag overwritten.

Step 6 

Router(config-if-cts-manual)# [no] propagate sgt

(Optional) The no form of this command is used when the peer is incapable of processing an SGT. The no propagate sgt command prevents the interface from transmitting the SGT to the peer.

Step 7 

Router(config-if-cts-manual)# exit

Exits Cisco TrustSec manual interface configuration mode.

Step 8 

Router(config-if)# shutdown

Disables the interface.

Step 9 

Router(config-if)# no shutdown

Enables the interface and enables Cisco TrustSec authentication on the interface.

Step 10 

Router(config-if)# exit

Exits interface configuration mode.

Identity Port Mapping (IPM) configures a physical port such that a single SGT is imposed on all traffic entering the port; this SGT is applied on all IP traffic exiting the port until a new binding is learned. IPM is configured as follows:

CTS Manual interface configuration mode with the policy static sgt tag command

CTS Manual interface configuration mode with the policy dynamic identity peer-name command where peer-name is designated as non-trusted in the Cisco ACS or Cisco ISE configuration.

IPM is supported for the following ports:

Routed ports

Switchports in access mode

Switchports in trunk mode

When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and restrictions:

If no SAP parameters are defined, no Cisco TrustSec encapsulation or encryption will be performed.

If the selected SAP mode allows SGT insertion and an incoming packet carries no SGT, the tagging policy is as follows:

If the policy static command is configured, the packet is tagged with the SGT configured in the policy static command.

If the policy dynamic command is configured, the packet is not tagged.

If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging policy is as follows:

If the policy static command is configured without the trusted keyword, the SGT is replaced with the SGT configured in the policy static command.

If the policy static command is configured with the trusted keyword, no change is made to the SGT.

If the policy dynamic command is configured and the authorization policy downloaded from the authentication server indicates that the packet source is untrusted, the SGT is replaced with the SGT specified by the downloaded policy.

If the policy dynamic command is configured and the downloaded policy indicates that the packet source is trusted, no change is made to the SGT.

This example shows how to configure Cisco TrustSec authentication in manual mode on an interface: 

Router# configure terminal

Router(config)# interface gi2/1

Router(config-if)# cts manual 

Router(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm null no-encap

Router(config-if-cts-manual)# exit 

Router(config-if)# shutdown

Router(config-if)# no shutdown

Router(config-if)# exit 

Router(config)# exit

Regenerating SAP Key on an Interface

The ability to manually refresh encryption keys is often part of network administration security requirements. SAP key refresh ordinarily occurs automatically, triggered by combinations of network events and non-configurable internal timers.

Feature
History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.

IOS-XE 3.3.0 SG

This feature was introduced on the Catalyst 4000 series switches.

15.0(1)SE

This feature was introduced on the Catalyst 3750(E), 3560(E) and 3750(X) series switches.


 
Command
Purpose

Step 1 

Router# cts rekey interface int slot/port

Forces renegotiation of SAP keys on MACsec link.

Verifying the Cisco TrustSec Interface Configuration

To view the TrustSec-relate interface configuration, perform this task:

 
Command
Purpose

Step 1 

Router# show cts interface [interface type slot/port | brief | summary]

Displays TrustSec-related interface configuration.

This example shows how to view the TrustSec-related interface configuration: 

Router# show cts interface interface gi3/3 

Global Dot1x feature is Enabled

Interface GigabitEthernet3/3:

    CTS is enabled, mode:    DOT1X

    IFC state:               OPEN

    Authentication Status:   SUCCEEDED

        Peer identity:       "sanjose"

        Peer's advertised capabilities: ""

        802.1X role:         Supplicant

        Reauth period applied to link:  Not applicable to Supplicant role

    Authorization Status:    SUCCEEDED

        Peer SGT:            11

        Peer SGT assignment: Trusted

    SAP Status:              NOT APPLICABLE

        Configured pairwise ciphers:

            gcm-encrypt

            null

        Replay protection:      enabled

        Replay protection mode: OUT-OF-ORDER

        Selected cipher:        

    Cache Info:

        Expiration            : 23:32:40 PDT Jun 22 2009

        Cache applied to link : NONE

        Expiration            : 23:32:40 PDT Jun 22 2009

    Statistics:

        authc success:              1

        authc reject:               0

        authc failure:              0

        authc no response:          0

        authc logoff:               0

        sap success:                0

        sap fail:                   0

        authz success:              1

        authz fail:                 0

        port auth fail:             0

Dot1x Info for GigabitEthernet3/1

-----------------------------------

PAE                       = SUPPLICANT

StartPeriod               = 30

AuthPeriod                = 30

HeldPeriod                = 60

MaxStart                  = 3

Credentials profile       = CTS-ID-profile

EAP profile               = CTS-EAP-profile

Dot1x Info for GigabitEthernet3/1

-----------------------------------

PAE                       = AUTHENTICATOR

PortControl               = FORCE_AUTHORIZED

ControlDirection          = Both

HostMode                  = SINGLE_HOST

QuietPeriod               = 60

ServerTimeout             = 0

SuppTimeout               = 55

ReAuthMax                 = 2

MaxReq                    = 2

TxPeriod                  = 30

Manually Configuring a Device SGT

Release
Feature History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.


In normal Cisco TrustSec operation, the authentication server assigns an SGT to the device for packets originating from the device. You can manually configure an SGT to be used if the authentication server is not accessible, but an authentication server-assigned SGT will take precedence over a manually-assigned SGT.

To manually configure an SGT on the device, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# cts sgt tag

Configures the SGT for packets sent from the device. The tag argument is in decimal format. The range is 1 to 65533.

Step 3 

Router(config)# exit

Exits configuration mode.

This example shows how to manually configure a device SGT: 

Router# configure terminal

Router(config)# cts sgt 1234

Router(config)# exit

Manually Configuring IP-Address-to-SGT Mapping

Release
Feature History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.

15.0(0)SY

The following keywords were added to the cts role-based sgt-map command on the Catalyst 6500 series switches.

ipv4-address/prefix

ipv6-address/prefix

interface


If you do not have a Cisco Identity Services Engine, Cisco Secure ACS, dynamic ARP inspection, DHCP snooping, or Host Tracking available to your switch to automatically map SGTs to source IP addresses, and VLAN members, you can manually specify SGTs as follows:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# cts role-based sgt-map

[ipv4-address | ipv4-prefix/prefix | ipv6-address | ipv6-prefix::prefix]|

[host ipv4-address|ipv6-address]|

[interface type slot/port| [security-group name] |

[vlan-list [vlan_IDs | all]

[vrf vrf-name] [ipv4-address | ipv4-address/prefix | ipv6-address | ipv6-address::prefix]| [host ipv4-address|ipv6-address]

sgt tag

The specified SGT is bound with an incoming packet when the packet attributes meet any of the following criteria:

Source address belongs to a specified network:

cts role-based sgt-map ipv4-address | ipv6-address sgt tag

Source address belongs to a specified subnet:

cts role-based sgt-map ipv4-address/prefix | ipv6-address::prefix sgt tag

Source address matches a specified network host:

cts role-based sgt-map host ipv4-address | ipv6-address sgt tag

Packet ingresses on a specified Layer 3 interface:

cts role-based sgt-map interface type slot/port sgt tag

VLAN ID matches one in a configured list:

cts role-based sgt-map vlan-list [vlan_IDs |all] sgt tag

VRF Instances—The keyword vrf must be followed by a name of an already defined VRF. The binding specified in this command is entered into the IP-SGT table associated with the specified VRF and the IP protocol version implied by the type of IP address entered.

Step 3 

Router(config)# exit

Exits configuration mode.

A binding is used locally on the system for SGT imposition and SGACL enforcement. It is exported to SXP peers if it is the only binding known for the specified host IP address, subnet, Layer 3 interface, VLAN ID, or VRF instance.

SXP expands IPv4 and IPv6 subnet bindings to all possible individual host bindings and exports them. IPv6 bindings and subnet bindings are exported only to SXP listener peers of SXP version 2 or later.

Layer 3 interface mapping to SGT (L3IF) is supported on the following L3 logical or physical interfaces regardless of the underlying physical interface:

Routed port

SVI (VLAN interface)

L3 subinterface of L2 port

Tunnel interface

This example shows how to manually configure and verify an IP address to SGT mapping: 

Router# configure terminal

Router(config)# cts role-based sgt-map 10.10.10.5 sgt 1234

Router(config)# exit

Router# show cts role-based sgt-map all

Active IP-SGT Bindings Information

IP Address              SGT     Source

============================================

10.10.10.5              1234    CLI

IP-SGT Active Bindings Summary

============================================

Total number of CLI      bindings = 1

Total number of active   bindings = 1

Displaying IP-Address-to-SGT Mappings

To display IP address to SGT mappings, perform this task:

 
Command
Purpose

Step 1 

Router# show cts role-based sgt-map {
[ipv4-address | ipv4-address/prefix | ipv6-address | ipv6-address/prefix]|

all [details | ipv4 | ipv6 ] |

host {ipv4-address|ipv6-address} [details] |

summary {ipv4 | ipv6} |

vrf instance_name {ipv4-address | ipv4-address/prefix | ipv6-address | ipv6-address/prefix | all {ipv4 | ipv6} host {ipv4-address|ipv6-address} | summary {ipv4 | ipv6}] }

Displays the Cisco TrustSec SGT mapping configurations.

This example shows how to display IP address to SGT mappings: 

Router# show cts role-based sgt-map all

Active IP-SGT Bindings Information

IP Address              SGT     Source

============================================

10.1.1.2                4       INTERNAL

11.1.1.2                4       INTERNAL

12.1.1.2                4       INTERNAL

14.1.1.15               4       INTERNAL

16.1.1.0/24             3       L3IF

20.1.1.2                4       INTERNAL

30.1.1.0/24             3       L3IF

30.1.1.2                4       INTERNAL

42.1.1.0/24             3       L3IF

48.1.1.0/24             3       L3IF

51.1.1.0/24             3       L3IF

51.1.1.2                4       INTERNAL

52.1.1.1                4       INTERNAL

53.1.1.0/24             3       L3IF

63.1.1.2                4       INTERNAL

76.1.1.3                4       INTERNAL

80.1.1.1                5       CLI

80.1.1.2                4       INTERNAL

90.1.1.2                4       INTERNAL

100.1.1.10              4       INTERNAL

101.1.1.1               4       INTERNAL

104.1.1.1               3       L3IF

110.1.1.1               4       INTERNAL

IP-SGT Active Bindings Summary

============================================

Total number of CLI      bindings = 1

Total number of L3IF     bindings = 7

Total number of INTERNAL bindings = 15

Total number of active   bindings = 23

Binding Source Priorities

TrustSec resolves conflicts among IP-SGT binding sources with a strict priority scheme. For example, an SGT may be applied to an interface with the policy {dynamic identity peer-name | static sgt tag} CTS Manual interface mode command (Identity Port Mapping). The current priority enforcement order, from lowest to highest, is as follows:

1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.

2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.

3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.

4. SXP—Bindings learned from SXP peers.

5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable link.

6. LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.

7. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.

Configuring Additional Authentication Server-Related Parameters

To configure the interaction between a switch and the Cisco TrustSec server, perform one or more of these tasks:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# [no] cts server deadtime seconds

(Optional) Specifies how long a server in the group should not be selected for service once it has been marked as dead. The default is 20 seconds; the range is 1 to 864000.

Step 3 

Router(config)# [no] cts server load-balance method least-outstanding [batch-size transactions] [ignore-preferred-server]

(Optional) Enables RADIUS load balancing for the Cisco TrustSec private server group and chooses the server with the least outstanding transactions. By default, no load balancing is applied. The default transactions is 25.

The ignore-preferred-server keyword instructs the switch not to try to use the same server throughout a session.

Step 4 

Router(config)# [no] cts server test {server-IP-address | all} {deadtime seconds | enable | idle-time seconds}

(Optional) Configures the server-liveliness test for a specified server or for all servers on the dynamic server list. By default, the test is enabled for all servers. The default idle-time is 60 seconds; the range is from 1 to 14400.

Step 5 

Router(config)# exit

Exits configuration mode.

Step 6 

Router# show cts server-list

Displays status and configuration details of a list of Cisco TrustSec servers.

This example shows how to configure server settings and how to display the Cisco TrustSec server list: 

Router# configure terminal

Router(config)# cts server load-balance method least-outstanding batch-size 50 
ignore-preferred-server

Router(config)# cts server test all deadtime 20

Router(config)# cts server test all enable

Router(config)# cts server test 10.15.20.102 idle-time 120

Router(config)# exit 

Router# show cts server-list  

CTS Server Radius Load Balance = ENABLED

  Method     = least-outstanding

  Batch size = 50

  Ignore preferred server

Server Group Deadtime = 20 secs (default)

Global Server Liveness Automated Test Deadtime = 20 secs

Global Server Liveness Automated Test Idle Time = 60 mins 

Global Server Liveness Automated Test = ENABLED (default)

Preferred list, 1 server(s):

 *Server: 10.15.20.102, port 1812, A-ID  87B3503255C4384485BB808DC24C6F55

                Status = ALIVE

                auto-test = TRUE, idle-time = 120 mins, deadtime = 20 secs

Installed list: SL1-1E6E6AE57D4E2A9B320D1844C68BA291, 3 server(s):

 *Server: 10.15.20.102, port 1812, A-ID  87B3503255C4384485BB808DC24C6F55

                Status = ALIVE

                auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs

 *Server: 10.15.20.101, port 1812, A-ID 255C438487B3503485BBC6F55808DC24

                Status = ALIVE

                auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs

Installed list: SL2-1E6E6AE57D4E2A9B320D1844C68BA293, 3 server(s):

 *Server: 10.0.0.1, port 1812, A-ID 04758B1F05D8C1439F27F9509E07CFB6.

                Status = ALIVE

                auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs

 *Server: 10.0.0.2, port 1812, A-ID 04758B1F05D8C1439F27F9509E07CFB6.

                Status = DEAD

                auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs

Automatically Configuring a New or Replacement Password with the Authentication Server

Release
Feature History

12.2(50) SY

This feature was introduced on the Catalyst 6500 series switches.

IOS-XE 3.3.0 SG

This feature was introduced on the Catalyst 4000 series switches.

15.0(1) SE

This feature was introduced on the Catalyst 3750(X) series switches


As an alternative to manually configuring the password between the switch and the authentication server, you can initiate a password negotiation from the switch. To configure the password negotiation, perform this task:

 
Command
Purpose

Step 1 

Router# cts change-password server ip-address port {key secret | a-id a-id}

Initiates a password negotiation between the switch and the authentication server.

ip-address—The IP address of the authentication server.

port—The UDP port of the authentication server.

key secret—The RADIUS shared secret of the authentication server.

a-id a-id—The A-ID associated with the authentication server.