Configuring Credentials and AAA for a Cisco TrustSec Non-Seed Device
Command
Step 7
Router(config)# radius-server vsa send
authentication
Step 8
Router(config)# dot1x
system-auth-control
Step 9
Router(config)# exit
You must also configure the Cisco TrustSec credentials for the switch on the Cisco Identity Services
Note
Engine, or the Cisco Secure ACS.
Configuration Examples for Non-Seed Device
Catalyst 6500 example:
Router# cts credentials id Switch2 password Cisco123
Router# configure terminal
Router(config)# aaa new-model
Router(config)# aaa authentication dot1x default group radius
Router(config)# aaa authorization network MLIST group radius
Router(config)# aaa accounting dot1x default start-stop group radius
Router(config)# radius-server vsa send authentication
Router(config)# dot1x system-auth-control
Router(config)# exit
Catalyst 3850/3650 example for access VLAN, where propagate SGT is not the default:
switch(config-if)# switchport access vlan 222
switch(config-if)# switchport mode access
switch(config-if)# authentication port-control auto
switch(config-if)# dot1x pae authenticator
switch(config-if)# cts dot1x
switch(config-if)# propagate sgt
Cisco TrustSec Configuration Guide
3-4
Chapter 3
Configuring Identities, Connections, and SGTs
Purpose
Configures the switch to recognize and use
vendor-specific attributes (VSAs) in RADIUS
Access-Requests generated by the switch during the
authentication phase.
Globally enables 802.1X port-based authentication.
Exits configuration mode.
OL-22192-02