Cisco TrustSec Support for IOS

Any device that participates in the CTS network requires it to be authenticated and trusted. New devices that connect to the CTS network use an enrollment process to obtain CTS authentication credentials and receive general information about the CTS environment to facilitate the authentication process. Device enrollment can happen either directly with an Authentication Server (AS) provided the device has L3 connectivity to AS or through a peer Authenticator (AT) device, such as a switch or router that facilitates enrollment with an AS.

Access switches or routers are the authentication points in typical branch access scenarios and have direct connectivity to the AS. They authenticate endpoints through EAP-FAST Phase 0 for dynamic PAC provisioning or RADIUS and EAP exchange. When endpoints are successfully authenticated, they receive user-specific AAA attributes that include the SGT, which in turn is relayed to a router using SXP. The router initiates EAP-FAST Phase 0 exchange with the available AS and obtains a PAC. This is accomplished by a local PAC-provisioning driver, which acts as a pass-through authenticator to the supplicant EAP-FAST engine running on the router.

The RADIUS protocol requires a secret to be shared between a client and a server. Shared secrets are used to verify that RADIUS messages are sent by a RADIUS enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The message integrity is checked by including the Message Authenticator attribute in the RADIUS messages. This attribute is a Hash-based Message Authentication Code-Message Digest 5 (HMAC-MD5) of the entire radius message using the shared secret as the key. The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password.

EAP-FAST is a publicly accessible IEEE 802.1X extensible authentication protocol type that is used to support customers who cannot enforce a strong password policy. EAP-FAST is used for the following reasons:

• Digital certificates are not required.
• A variety of database types for usernames and passwords are supported.
• Password expiration and change are supported.
• EAP-FAST is flexible, easy to deploy and manage.

Note	Lightweight Directory Access Protocol (LDAP) users cannot be automatically PAC provisioned and must be manually provisioned.

EAP-FAST comprises three basic phases, but only Phase 0 is supported. Phase 0 initially distributes the PAC to the client device.

Note	Unsupported EAP-FAST Phase 1 uses the PAC to establish a secure tunnel and Phase 2 authenticates the client through a secure tunnel.

Phase 0 or auto-provisioning (also called in-band provisioning) component of EAP-FAST permits the secure distribution of the user PAC to each device. With some other authentication protocols, it is necessary to establish a network connection or manually install a file in order to distribute credentials to the device. Phase 0 in EAP-FAST permits a PAC to be distributed to the device during an encrypted session after the device's credentials are authenticated. This device authentication uses a challenge-handshake protocol to authenticate the device and to validate the server response. This authentication mechanism guards against potential interception and reforwarding of provisioning requests for the purpose of intercepting a user PAC.

The end result of Phase 0 is PAC distribution. After successful PAC distribution, the server issues an authentication failure to the access point and the device is disassociated from the network. Then the device reinitiates an EAP-FAST authentication with the network using the newly provisioned PAC and the device's credentials.

The figure below shows an overview of EAP-FAST authentication.

The PAC is a unique shared credential used to mutually authenticate client and server. It is associated with a specific client username and a server authority identifier (A-ID). A PAC removes the need for Public Key Infrastructure (PKI) and digital certificates.

Creating a PAC consists of the following steps:

1. Server A-ID maintains a local key (master key) that is only known by the server.
2. When a client, which is referred to in this context as an initiator identity (I-ID), requests a PAC from the server, the server generates a randomly unique PAC key and PAC-Opaque field for this client.
3. The PAC-Opaque field contains the randomly generated PAC key along with other information such as an I-ID and key lifetime.
4. PAC Key, I-ID, and Lifetime in the PAC-Opaque field are encrypted with the master key.
5. A PAC-Info field that contains the A-ID is created.
6. The PAC is distributed or imported to the client automatically.

Note	The server does not maintain the PAC or the PAC key, enabling the EAP-FAST server to be stateless.

The figure below describes the PAC's construction. A PAC consists of the PAC-Opaque, PAC Key, and PAC-Info fields. The PAC-Info field contains the A-ID.

In Secure RADIUS, the PAC key is provisioned into each device during authentication to derive the shared secret. Since the RADIUS ACS does not store the PAC key for each device, the clients must also send an additional RADIUS attribute containing the PAC-Opaque field, which is a variable length field that can only be interpreted by the server to recover the required information and validate the peer's identity and authentication. For example, the PAC-Opaque field may include the PAC key and the PAC's peer identity.

The PAC-Opaque field format and contents are specific to the PAC server on which it is issued. The RADIUS server obtains the PAC Key from the PAC-Opaque field and derives the shared secret the same way clients do. Secure RADIUS only modifies the way shared secret is derived and not its usage.

EAP-FAST Phase 0 is used to automatically provision a client with a PAC.

1.    enable

2.    license install stored-location-url

3.    license boot module module-name technology-package package-name

4.    reload

5.    show license udi

See the "Configuring Cisco TrustSec Credentials" section to configure the basic parameters needed to make Cisco TrustSec operational on your router.

1.    enable

2.    cts credentials id cts-id password password

3.    configure terminal

4.    aaa new-model

5.    aaa authentication dot1x default group radius

6.    cts authorization list network list-name

7.    aaa authorization network list-name group radius

8.    exit

9.    show cts server-list

10.    show cts credentials

1.    enable

2.    configure terminal

3.    aaa new-model

4.    radius server name

5.    address ipv4 hostname [acct-port port | alias name | auth-port port [acct-port port]]

6.    pac key encryption-key

Note	Automatic PAC Provisioning can also be triggered by Secure RADIUS when the server has no PAC or when an Access-Reject message is received from the Autonomous System (AS) says "PAC Expired".