Blog‎ > ‎

NX-OS TrustSec

posted Apr 27, 2014, 12:50 PM by Rick McGee   [ updated Apr 29, 2014, 3:26 PM ]
Originally TrustSec was 802.11ae MACSec (Layer 2 Encryption)

Now it's more formally Cisco's new NAC architecture (ISE/NAC)
    Basically reused the name TrustSec name for this new ISE NAC design
    Only based on RADIUS (no TACACS+)

MACSec 802.1ae
    Some call this WEP (Wired Equivalency Protocol)
        Even though WEP (for wireless) was a week authentication protocol but it         
        still encrypted the wireless data transmission 
        Wireless encrypts my entire data stream by default with AES
        Wired network typically doesn't do this, limited to newer hardware
        Encrypted before ethernet header is writing (Support on M1 series mod)
    Looking at 802.1ae for encrypting Layer 2 interfaces

TrustSec 
    Link-to-Link L2 Ethernet AES encryption 
        Not Encrypted on the backplane of the switch 
        The type of DCI is going to be important if you would be able to support
        MACSec (Dark Fiber (Back to Back vPC) VPLS pseudo wires)
        Will not work with OTV

TurstSec Today
    Dot1x Authentication (EAPoL) EAP over LAN
    Profiling
    Posturing
    Authorization 
    Remediation 
    Guest Services
    Secure Group Access 
        Identity Services Engine (ISE)
    ACS 5.3 also can provide some TrustSec capabilities, but ISE is preferred 

What is Secure Group Access or SGA
    Based on:
        Secure Group Tags (SGT)
        Secure Group ACL (SGACL)
    This is a completely new way for Access Control /ACE's 
    Allows one to reduce TCAM size needed to store ACE's
    This is based on an egress ACL architecture vs Traditional ingress ACL




Think about the above design.
    Each ingress has to have ACL's for all end points servers/applications

    With TrustSEC 
       Aa a host (laptop or IOS device) comes on to a network we classify it at 
        the ingress with a SGT (simple number). ISE servers will Classify each     
        host device based on ISE server SGT with 802.1x, Profiling,Posturing,      
        and Authorization
    
        Each resource will be tagged as well (think of UCS blade servers) with 
        multiple applications.

        The ISE server has a matrix with each SGT for hosts and resources
        and does a cross-reference matrix to see what SGACL will be applied
        at an egress device.

        This will allow one (1) TCP SYN packet to traverse the network, and if not 
        allowed it will be dropped in the bit bucket before a SYN ACK sent 
        back. 
        For UDP it can mean more but still not enough to impact the effectiveness 
        of ISE .
        
        This will allow less overhead and less memory TCAM resources
        only have to write this dynamically at the time the resource is 
        requested 

        Doesn't require specific IP address for source or destination's only 
        care about the SGT (Security Group Tag)
     
        This is Cisco's new Data Center security model (BYOD)

        NDAC= Network Device Admission Control
            AuthC and AuthZ to network Devices
            Only honors SGT's from trusted peers


Configuration:



MACSec Only (Encryption)

N7K2-7/8
    conf t
    feature dot1x
    feature cts
    feature interface-vlan

N7K2-7
    conf t
    int e1/17
    switchport 
    no shut 
    cts manual 
    (config-if-cts-manual) Prompt Change
    sap pmk aaccddff (this is a 32 bit value don't need to use all 32 will fill in with     
                                zeros) Need to shut and no shut with MACsec CTS
    shut 
    switchport access vlan 10
    end
    vlan 10
    name CTS-TEST
    ip address 10.0.0.77/24 
    no shut (every time you bring up a SVI you have to no shut)


N7K2-8
    conf t
    int e1/25
    switchport
    switchport access vlan 10
    
ping to 10.0.0.77 

Now configure CTS after you verify connectivity     
    cts manual 
    sap pmk aaccddff
    no shut 

    vlan 10
    name CTS-TEST
    ip address 10.0.0.78/24
    no shut  
    
   

show cts int e1/25
    
We are not doing TrustSEC just MACsec here 
    Skipped Authencitaiton 
    Skipped Authorization 
    Peer SGT is not trusted    
        Could set manually to trust the SGT

You should still be able to ping across the link

TrustSec Configuration 
    
N7K2-7
conf t
    radius-server host 192.168.0.43 key cisco123 pac
    aaa group server radius ISE
    (config-radius) prompt change
        server 192.168.0.43
        use-vrf management 

Once this is completed it auto populates the command
            "aaa group sever radius aaa-private-sg"
    You want to go under that group and specify what vrf your using

conf t
aaa group server radius aaa-private-sg
    use-vrf management     

conf t

cts device-id N7K27 password cisco123 (shows up in ISE)

aaa authentication dot1x default group ISE   (AAA Group sever)
aaa authorization cts default group ISE

Configure ISE

Administration -----> Network Resources 
    Would define you devices here and can have them via location and 
    device group type


RADIUS settings 



SGA settings
 Hou would also configure the EXEC Username and Password

Generate a PAC for SEED device 
It will ask you to download it.

Click save

Config interfaces dot1x interfaces


N7K2-7
    int e1/18
    switchport 
    switchport access vlan 10
    no shut 
    cts dot1x
    (config-if-cts-dot1x) Changes prompt
    shut 
    no shut

show cts environment-data

Local Device SGT is 0x000a = 10 
    This is setup in ISE for Security Groups 
This mapped the network device group/ subgroup  to the SGA mapped to SGT 10 

N7K2-8
    conf t
    int e1/26
    switchport
    switchport access vlan 10
    no shut 
    exit
    cts device-id N7K28 password cisco123
    
    

Check the Setting in ISE for the N7K2-8
    


Enter the EXEC username and password for the switch
Don't need to generate PAC and click save

conf t
 int e1/26
    cts dot1x
    shut
    no shut

show cts environment (N7K2-8)

For Each VLAN and VRF you could have to configure "cts role-based enforcement"
conf t
vlan 10 
    cts role-based enforcement
    exit
Can also do a SGT static MAP
    "cts role-based sgt-map 10.1.1.1 3"  3= the SGT, ISE doesn't have to 
                                                             know 10.1.1.1 just the SGT
This would be per VLAN and per VRF if required.
 
show cts interface e1/26
Will show you the CTS is enabled and the mode dot1x and the peer



SXP Configuration (on N5K1 and N5K2)

N7K2-7 (SEED Device)

conf t
cts sxp enable
cts sxp connection peer 10.0.0.51 source 10.0.0.77 password required cisco123 mode speaker
cts sxp connection peer 10.0.0.52 source 10.0.0.77 password required cisco123 mode speaker

int e2/19
    switchport
    switchport access vlan 10
    no shut

N7K2-8
    cts sxp enable
int e2/27
    switchport
    switchport access vlan 10
    no shut

N5K1
 conf t
 int vlan 10
    ip address 10.0.0.51/24 
    name SXP
    no shut
int e1/20 
    switchport
    switchport access vlan 10
    no shut
feature dot1x 
feature cts
cts sxp enable 
cts device-id N5K1 password cisco123
cts sxp connection peer 10.0.0.77 source 10.0.0.51 password required cisco123 mode listener 


N5K2
    conf t
    vlan 10
    name SXP
    int vlan 10
    ip address 10.0.0.52/24 
    no shut
int e1/20
    switchport
    switchport access vlan 10
    no shut 
    exit
feature dot1x 
feature cts
cts sxp enable
cts device-id N5K2 password cisco123
cts sxp connection peer 10.0.0.77 source 10.0.0.52 password required cisco123 mode listener 

show cts sxp connection
N5K1 and N5K2 can now pass SGT to the SEED device 


Now create the SGACL
N7K2-7
conf t
cts role-based access-list TEST
(config-rbacl) prompt changes
permit tcp sec eq 80 dest gt 1024
deny all
You see the following options 

You'll notice there is not ip address for SRC or DEST just SRC DEST ports

You can also configure on ISE
This example is for ICMP
    You give it IPv4/v6
    then the entries per SGACL
    permit icmp
    deny all (no any any)

Matrix View


Pick ICMP_n_SSH
Now that particular SGACL is applied to the Matrix spot


Hint:
    You can use ISE in monitor mode to see how it will play with your network 
    design. From there you could move to a partial and full protection mode
Comments