Configuring Credentials and AAA for a Cisco TrustSec Seed Device
A Cisco TrustSec-capable device that is directly connected to the authentication server, or indirectly connected but is the first device to begin the TrustSec domain, is called the seed device. Other Cisco TrustSec network devices are non-seed devices.
Note |
You must also configure the Cisco TrustSec credentials for the switch on the Cisco Identity Services Engine (Cisco ISE) or the Cisco Secure Access Control Server (Cisco ACS). |
To enable NDAC and AAA on the seed switch so that it can begin the Cisco TrustSec domain, perform these steps:
SUMMARY STEPS
- cts credentials id device-id password password
- enable
- configure terminal
- aaa new-model
- aaa authentication dot1x default group radius
- aaa authorization network mlist group radius
- cts authorization list mlist
- aaa accounting dot1x default start-stop group radius
- radius-server host ip-addr auth-port 1812 acct-port 1813 pac key secret
- radius-server vsa send authentication
- dot1x system-auth-control
- exit
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
cts credentials id device-id password password Example:
|
Specifies the Cisco TrustSec device ID and password for this switch to use when authenticating with other Cisco TrustSec devices with EAP-FAST. The device-id argument has a maximum length of 32 haracters and is case sensitive. |
Step 2 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 3 |
configure terminal Example:
|
Enters global configuration mode. |
Step 4 |
aaa new-model Example:
|
Enables AAA. |
Step 5 |
aaa authentication dot1x default group radius Example:
|
Specifies the 802.1X port-based authentication method as RADIUS. |
Step 6 |
aaa authorization network mlist group radius Example:
|
Configures the switch to use RADIUS authorization for all network-related service requests.
|
Step 7 |
cts authorization list mlist Example:
|
Specifies a Cisco TrustSec AAA server group. Non-seed devices will obtain the server list from the authenticator. |
Step 8 |
aaa accounting dot1x default start-stop group radius Example:
|
Enables 802.1X accounting using RADIUS. |
Step 9 |
radius-server host ip-addr auth-port 1812 acct-port 1813 pac key secret Example:
|
Specifies the RADIUS authentication server host address, service ports, and encryption key.
|
Step 10 |
radius-server vsa send authentication Example:
|
Configures the switch to recognize and use vendor-specific attributes (VSAs) in RADIUS Access-Requests generated by the switch during the authentication phase. |
Step 11 |
dot1x system-auth-control Example:
|
Globally enables 802.1X port-based authentication. |
Step 12 |
exit Example:
|
Exits configuration mode. |