The Cisco TrustSec
solution provides end-to-end security that is centrally managed using an
Authentication, Authorization, and Accounting (AAA) server. The AAA server
authenticates and authorizes each device coming into the network, and
encryption is done on a per-link basis. The authentication information is
downloaded to both the authenticating device (authenticator) and to the
incoming device (supplicant) that are added to the CTS network. Another key
component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). The
ISE server is the policy control point for Cisco TrustSec. The authenticator
must be connected to the ISE server to ensure that the Cisco TrustSec 802.1X
links are active. After authentication, the supplicant is connected to the ISE
server through the authenticator.
Network Device Admission Control helps to add network devices into trusted
When the AAA server
is down, Cisco TrustSec can neither add any new device into the network nor
maintain the currently authenticated devices in the trusted network. This
situation results in the Cisco TrustSec links going into the disconnect state.
Cisco TrustSec Critical Authentication
feature aims to prevent the Cisco TrustSec 802.1X links from going down if the
AAA server is not reachable. For devices that are already in the trusted
network, previously obtained (cached) security group access control list
(SGACL) policies, peer security group tag (SGT) values, and pairwise master key
(PMK) values are used until the AAA server is reachable again. For new devices
coming into the network, the default peer-SGT value (trusted or untrusted),
default PMK value, and default SGACL policy are used until the AAA server is
reachable and the full authentication and authorization policy is received from
the AAA server.
values—SGACL policy, peer-SGT value, and PMK value—are configurable.
If a user does not
want to configure the PMK value, critical authentication brings up 802.1X links
without link encryption, and the Security Association Protocol (SAP)
negotiation does not occur between interfaces. The default PMK value is used
for all SAP negotiations.
authentication mode, preference is given to cached data because it is the last
valid set of values received from the AAA server. However, this is a
configurable option, and the user can decide if default values should be
preferred over cached values.
The Cisco TrustSec Critical Authentication feature is triggered only
when the AAA server is unreachable. It is not triggered if the AAA server
responds to an authenticator request from a device with a failure message
Consider this example: If the entry for Device A is deleted from the
AAA server and the AAA server is thus unreachable, a Device A link in
authenticator state will trigger the critical authentication feature . If
Device B is connected to this link, Device B will also enter into critical
authentication mode, and Device B will become the authenticator. Now, if Device
B has one or more other links in supplicant state that are connected to Device
A, then these supplicant links will attemp to to reauthenticate with the AAA
server. However, the AAA server will reject Device B's request for
authentication (by sending the Access-Reject message). As a result, critical
authentication feature on both devices will be terminated. The other interfaces
connected to both devices (with SAP negotiation on one end and 802.1x
authentication on the other) will now start flapping.
This is a security mechanism to prevent unauthorized devices from
assuming the role of authenticator.