Originally TrustSec was 802.11ae MACSec (Layer 2 Encryption) Now it's more formally Cisco's new NAC architecture (ISE/NAC) Basically reused the name TrustSec name for this new ISE NAC design Only based on RADIUS (no TACACS+) MACSec 802.1ae Some call this WEP (Wired Equivalency Protocol) Even though WEP (for wireless) was a week authentication protocol but it still encrypted the wireless data transmission Wireless encrypts my entire data stream by default with AES Wired network typically doesn't do this, limited to newer hardware Encrypted before ethernet header is writing (Support on M1 series mod) Looking at 802.1ae for encrypting Layer 2 interfaces TrustSec Link-to-Link L2 Ethernet AES encryption Not Encrypted on the backplane of the switch The type of DCI is going to be important if you would be able to support MACSec (Dark Fiber (Back to Back vPC) VPLS pseudo wires) Will not work with OTV TurstSec Today Dot1x Authentication (EAPoL) EAP over LAN Profiling Posturing Authorization Remediation Guest Services Secure Group Access Identity Services Engine (ISE) ACS 5.3 also can provide some TrustSec capabilities, but ISE is preferred What is Secure Group Access or SGA Based on: Secure Group Tags (SGT) Secure Group ACL (SGACL) This is a completely new way for Access Control /ACE's Allows one to reduce TCAM size needed to store ACE's This is based on an egress ACL architecture vs Traditional ingress ACL  Think about the above design. Each ingress has to have ACL's for all end points servers/applications With TrustSEC Aa a host (laptop or IOS device) comes on to a network we classify it at the ingress with a SGT (simple number). ISE servers will Classify each host device based on ISE server SGT with 802.1x, Profiling,Posturing, and Authorization Each resource will be tagged as well (think of UCS blade servers) with multiple applications. The ISE server has a matrix with each SGT for hosts and resources and does a cross-reference matrix to see what SGACL will be applied at an egress device. This will allow one (1) TCP SYN packet to traverse the network, and if not allowed it will be dropped in the bit bucket before a SYN ACK sent back. For UDP it can mean more but still not enough to impact the effectiveness of ISE . This will allow less overhead and less memory TCAM resources only have to write this dynamically at the time the resource is requested Doesn't require specific IP address for source or destination's only care about the SGT (Security Group Tag) This is Cisco's new Data Center security model (BYOD) NDAC= Network Device Admission Control AuthC and AuthZ to network Devices Only honors SGT's from trusted peers Configuration:  MACSec Only (Encryption) N7K2-7/8 conf t feature dot1x feature cts feature interface-vlan N7K2-7 conf t int e1/17 switchport no shut cts manual (config-if-cts-manual) Prompt Change sap pmk aaccddff (this is a 32 bit value don't need to use all 32 will fill in with zeros) Need to shut and no shut with MACsec CTS shut switchport access vlan 10 end vlan 10 name CTS-TEST ip address 10.0.0.77/24 no shut (every time you bring up a SVI you have to no shut) N7K2-8 conf t int e1/25 switchport switchport access vlan 10 ping to 10.0.0.77 Now configure CTS after you verify connectivity cts manual sap pmk aaccddff no shut vlan 10 name CTS-TEST ip address 10.0.0.78/24 no shut show cts int e1/25  We are not doing TrustSEC just MACsec here Skipped Authencitaiton Skipped Authorization Peer SGT is not trusted Could set manually to trust the SGT You should still be able to ping across the link TrustSec Configuration N7K2-7 conf t radius-server host 192.168.0.43 key cisco123 pac aaa group server radius ISE (config-radius) prompt change server 192.168.0.43 use-vrf management Once this is completed it auto populates the command "aaa group sever radius aaa-private-sg" You want to go under that group and specify what vrf your using conf t aaa group server radius aaa-private-sg use-vrf management conf t cts device-id N7K27 password cisco123 (shows up in ISE) aaa authentication dot1x default group ISE (AAA Group sever) aaa authorization cts default group ISE Configure ISE Administration -----> Network Resources Would define you devices here and can have them via location and device group type  RADIUS settings  SGA settings   Generate a PAC for SEED device  Click save Config interfaces dot1x interfaces N7K2-7 int e1/18 switchport switchport access vlan 10 no shut cts dot1x (config-if-cts-dot1x) Changes prompt shut no shut show cts environment-data  Local Device SGT is 0x000a = 10 This is setup in ISE for Security Groups  N7K2-8 conf t int e1/26 switchport switchport access vlan 10 no shut exit cts device-id N7K28 password cisco123 Check the Setting in ISE for the N7K2-8   Enter the EXEC username and password for the switch conf t int e1/26 cts dot1x shut no shut show cts environment (N7K2-8)  For Each VLAN and VRF you could have to configure "cts role-based enforcement" conf t vlan 10 cts role-based enforcement exit Can also do a SGT static MAP "cts role-based sgt-map 10.1.1.1 3" 3= the SGT, ISE doesn't have to know 10.1.1.1 just the SGT This would be per VLAN and per VRF if required. show cts interface e1/26  SXP Configuration (on N5K1 and N5K2) N7K2-7 (SEED Device) conf t cts sxp enable cts sxp connection peer 10.0.0.51 source 10.0.0.77 password required cisco123 mode speaker cts sxp connection peer 10.0.0.52 source 10.0.0.77 password required cisco123 mode speaker int e2/19 switchport switchport access vlan 10 no shut N7K2-8 cts sxp enable int e2/27 switchport switchport access vlan 10 no shut N5K1 conf t int vlan 10 ip address 10.0.0.51/24 name SXP no shut int e1/20 switchport switchport access vlan 10 no shut feature dot1x feature cts cts sxp enable cts device-id N5K1 password cisco123 cts sxp connection peer 10.0.0.77 source 10.0.0.51 password required cisco123 mode listener N5K2 conf t vlan 10 name SXP int vlan 10 ip address 10.0.0.52/24 no shut int e1/20 switchport switchport access vlan 10 no shut exit feature dot1x feature cts cts sxp enable cts device-id N5K2 password cisco123 cts sxp connection peer 10.0.0.77 source 10.0.0.52 password required cisco123 mode listener show cts sxp connection  Now create the SGACL N7K2-7 conf t cts role-based access-list TEST (config-rbacl) prompt changes permit tcp sec eq 80 dest gt 1024 deny all You see the following options  You'll notice there is not ip address for SRC or DEST just SRC DEST ports You can also configure on ISE  You give it IPv4/v6 then the entries per SGACL permit icmp deny all (no any any) Matrix View  Pick ICMP_n_SSH  Hint: You can use ISE in monitor mode to see how it will play with your network design. From there you could move to a partial and full protection mode |
Blog >