Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
0
Helpful
8
Replies

Which comes first, dot1.x or Trustsec?

DamianRCL
Level 1
Level 1

‎03-14-2024 05:15 AM

Hello,

I'm in the initial phases of rolling out dot1.x and Trustsec. As I learn, a question has arisen; which technology should be configured first? I'm very eager to segment the network, but before doing that, hosts need to be assigned VLAN's and addresses, which logically, seems Dot1.x should come first.

I'd really appreciate some feedback for guidance.

Thanks

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎03-14-2024 05:23 AM

@DamianRCL dot1x (or mab) must come first, once authenticated successfully they will be authorised and then they will receive the dynamic VLAN (if requried) and the TrustSec SGT and any other dynamic attributes you push down.

0 Helpful

DamianRCL
Level 1
Level 1
In response to Rob Ingram

‎03-14-2024 05:37 AM

This makes sense. Thanks for the insight!

0 Helpful

MHM Cisco World
VIP
VIP
In response to DamianRCL

‎03-14-2024 08:15 AM

it not what is come first the action in ISE is either 
1- dot1x vlan or dACL
AND/OR
2-SGT


the dot1x is between endpoint and SW 
SGT is between SW-SW-router and other, it tag the traffic from endpoint to pass between SW

that what I know

MHM

0 Helpful

Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎03-14-2024 08:49 AM

In a 802.1X environment dynamic classification is used and the endpoint needs to be authenticated and authorised by ISE, as the endpoints connected to the switches do not have the SGT assigned until authenticated (802.1X or MAB) and authorised by ISE. It's during authorisation the SGT is assigned to the user/device and propagated to the switch. Once the switch has the SGT/IP bindings it can inline tag and/or enforce.

And as @thomas said you can use static classification in a DC environment, where technically you don't need ISE.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎03-14-2024 09:01 AM

The authc and authz happened one times not twice' so the endpoint connect and SW authc 802.1x and during it authz the ISE send vlan and SGT.

That what I mean' the endpoint not need to re-authz again to get it SGT

MHM

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎03-14-2024 07:28 AM

You may use TrustSec without 802.1X via static classifications. It all depends on your use case. Especially in the data center where you have a highly managed environment almost always without 802.1X you may still do TrustSec (and ACI).

TrustSec Classification Mechanisms.png

0 Helpful

DamianRCL
Level 1
Level 1
In response to thomas

‎03-14-2024 08:59 AM

I initially planned to use static classification with TS, but things changed when management said they wanted .1x as well.

Tell me, wouldn't using static classification somewhat defeat the purpose of TS? There would still be significant switch configuration work required, right? what am I missing?

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to DamianRCL

‎03-14-2024 09:25 AM

@DamianRCL it really depends on your environment.

If using static classification (IP to SGT or Subnet to SGT or VLAN to SGT etc) on the switches there would be a more configuration and management overhead. You can define static bindings on ISE and centrally deploy them to the enforcement points, you don't need 802.1X enabled on the switchports.

Typically dynamic classification is used in a campus environment with 802.1X/MAB to authenticate the devices and assign the SGTs, with static bindings for servers centrally deployed from ISE to enforcement points.

 

 

0 Helpful
Customers Also Viewed These Support Documents