| 802.1AE Tagging (MACsec)
Protocol for IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.
Between MACsec-capable devices, packets are encrypted on egress from the transmitting device, decrypted on ingress to the
receiving device, and in the clear within the devices.
This feature is only available between TrustSec hardware-capable devices.
| Endpoint Admission Control (EAC)
EAC is an authentication process for an endpoint user or a device connecting to the TrustSec domain. Usually EAC takes place
at the access level switch. Successful authentication and authorization in the EAC process results in Security Group Tag assignment
for the user or device. Currently EAC can be 802.1X, MAC Authentication Bypass (MAB), and Web Authentication Proxy (WebAuth).
| Network Device Admission Control (NDAC)
NDAC is an authentication process where each network device in the TrustSec domain can verify the credentials and trustworthiness
of its peer device. NDAC utilizes an authentication framework based on IEEE 802.1X port-based authentication and uses EAP-FAST
as its EAP method. Successful authentication and authorization in NDAC process results in Security Association Protocol negotiation
for IEEE 802.1AE encryption.
| Security Group Access Control List (SGACL)
A Security Group Access Control List (SGACL) associates a Security Group Tag with a policy. The policy is enforced upon SGT-tagged
traffic egressing the TrustSec domain.
| Security Association Protocol (SAP)
After NDAC authentication, the Security Association Protocol (SAP) automatically negotiates keys and the cipher suite for
subsequent MACSec link encryption between TrustSec peers. SAP is defined in IEEE 802.11i.
| Security Group Tag (SGT)
An SGT is a 16-bit single label indicating the security classification of a source in the TrustSec domain. It is appended
to an Ethernet frame or an IP packet.
| SGT Exchange Protocol (SXP)
Security Group Tag Exchange Protocol (SXP). With SXP, devices that are not TrustSec-hardware-capable can receive SGT attributes
for authenticated users and devices from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control System
(ACS). The devices can then forward a sourceIP-to-SGT binding to a TrustSec-hardware-capable device will tag the source traffic
for SGACL enforcement.