1.55 - Trustsec: Configuring Network Device Admission Control (NDAC)

In this video, we’re going to configure our Trustsec domain between a couple switches and enforce Network Device Admission Control (NDAC)


Notes from this video:

  • Trustsec Domains

    • There’s an establishment of trust within this domain between network access devices

    • SGTs and SGACLs are downloaded to network devices from a trusted source

    • Using NDAC, network devices are authenticated and authorized into a Trustsec domain

    • By authenticating links, it extends that trust for the SGT inline propagation

  • So where does ISE come into this picture?

    • ISE is the central point of SGT definition, distribution, and provides dynamic classification

    • It’s the central repository for SGT-based egress policies & pushes the policy from ISE in the form of SGACLs

    • It’s the authentication server for endpoints and network device admission into a Trustsec domain

  • How does NDAC work?

    • It uses 802.1x port-based authentication and EAP-FAST to authenticate to the network and receive it’s PAC (protected access credential)

    • Some devices (like switches) support EAP-FAST while others (like ASA) don’t and you’ll have to manually download and provision those PACs

  • How does RADIUS EAP-FAST work?

    • The network device requests a PAC and the PAC is pushed to the network device from the RADIUS server (ISE)

    • Using that PAC, the network device builds a secure TLS tunnel to ISE

    • The network device is then authenticated to ISE

    • (Optionally) You may configure your Trustsec domain to perform layer 2 encryption and that’s negotiated during NDAC for 802.1AE encryption


CONFIGURATIONS

SEED device CONFIGURATION

aaa new-model

radius server ise
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813
pac key 0 ISEc0ld

aaa group server radius ise-group
 server name ise

aaa server radius dynamic-author
 client 10.1.100.21 server-key ISEc0ld
auth-type any

aaa authentication dot1x default group ise-group
aaa authorization exec vty local 
aaa authorization configuration default group ise-group
aaa authorization network default group ise-group 
aaa accounting dot1x default start-stop group ise-group
aaa accounting system default start-stop group ise-group
aaa accounting update newinfo periodic 2440
aaa authorization network cts-list group ise-group

dot1x system-auth-control

cts authorization list cts-list

ip device tracking probe auto-source override
ip device tracking probe delay 10
ip radius source-interface Vlan100

access-session template monitor
access-session acl default passthrough
epm logging
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 30
cts credentials id Sw01 password ISEc0ld
cts logging verbose

NON-SEED DEVICE CONFIGURATION

cts credentials id Sw021 password ISEc0ld
cts logging verbose
aaa new-model
aaa authentication dot1x default group radius 
aaa authorization network cts-list group radius
aaa accounting dot1x default start-stop group radius
cts authorization list cts-list
radius-server vsa send authentication 
radius-server vsa send accounting 
aaa server radius dynamic-author
client 10.1.100.21 server-key ISEc0ld
auth-type any
dot1x system-auth-control


Uplink interface configuration on both switches

interface g1/0/x
switchport mode trunk
cts dot1x
sap mode-list no-encap
propagate sgt
no shut


useful show commands

show cts server-list
show cts interface gig1/0/x
show cts environment-data
show cts pac
show cts credentials