cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
0
Helpful
8
Replies

Which comes first, dot1.x or Trustsec?

DamianRCL
Level 1
Level 1

Hello,

I'm in the initial phases of rolling out dot1.x and Trustsec. As I learn, a question has arisen; which technology should be configured first? I'm very eager to segment the network, but before doing that, hosts need to be assigned VLAN's and addresses, which logically, seems Dot1.x should come first.

I'd really appreciate some feedback for guidance.

Thanks

8 Replies 8

@DamianRCL dot1x (or mab) must come first, once authenticated successfully they will be authorised and then they will receive the dynamic VLAN (if requried) and the TrustSec SGT and any other dynamic attributes you push down.

This makes sense. Thanks for the insight!

it not what is come first the action in ISE is either 
1- dot1x vlan or dACL
AND/OR
2-SGT


the dot1x is between endpoint and SW 
SGT is between SW-SW-router and other, it tag the traffic from endpoint to pass between SW

that what I know

MHM

In a 802.1X environment dynamic classification is used and the endpoint needs to be authenticated and authorised by ISE, as the endpoints connected to the switches do not have the SGT assigned until authenticated (802.1X or MAB) and authorised by ISE. It's during authorisation the SGT is assigned to the user/device and propagated to the switch. Once the switch has the SGT/IP bindings it can inline tag and/or enforce.

And as @thomas said you can use static classification in a DC environment, where technically you don't need ISE.

 

The authc and authz happened one times not twice' so the endpoint connect and SW authc 802.1x and during it authz the ISE send vlan and SGT.

That what I mean' the endpoint not need to re-authz again to get it SGT

MHM

thomas
Cisco Employee
Cisco Employee

You may use TrustSec without 802.1X via static classifications. It all depends on your use case. Especially in the data center where you have a highly managed environment almost always without 802.1X you may still do TrustSec (and ACI).

TrustSec Classification Mechanisms.png

I initially planned to use static classification with TS, but things changed when management said they wanted .1x as well.

Tell me, wouldn't using static classification somewhat defeat the purpose of TS? There would still be significant switch configuration work required, right? what am I missing?

Thanks

@DamianRCL it really depends on your environment.

If using static classification (IP to SGT or Subnet to SGT or VLAN to SGT etc) on the switches there would be a more configuration and management overhead. You can define static bindings on ISE and centrally deploy them to the enforcement points, you don't need 802.1X enabled on the switchports.

Typically dynamic classification is used in a campus environment with 802.1X/MAB to authenticate the devices and assign the SGTs, with static bindings for servers centrally deployed from ISE to enforcement points.