04-07-2014 12:27 PM - edited 03-01-2019 05:02 PM
Vaibhav Katkade is a product manager in Cisco's Enterprise Networking Group covering Cisco TrustSec and identity-based solutions on the Cisco Catalyst switching and ISR/ASR series routers. Prior to this, he was a software engineer on the Cisco Catalyst 4500 Series switching team, with experience on Layer 2 protocols, Layer 3 forwarding, Power over Ethernet, and system management. He has also worked as a software engineer at a WAN optimization startup, working on data deduplication algorithms. He has his master’s degree in electrical engineering from the University of Southern California (USC).
General Questions:
A: EVN stands for Easy Virtual Network. Refer to the Easy Virtual Network web page for more information.
A: If the user is in the same mobility domain, then the client's state machine will be maintained in the Wireless controllers, if not a reauthentication is necessary.
A: If the user is in the same mobility domain, then the client's state machine will be maintained in the Wireless controllers; if not, a re-authentication is necessary.
A: SPAN succeeds the MACSec process. MACSec is a hop-by-hop (one hop) encryption protocol. When an encrypted frames hits the mirrored port, it is decrypted and then subjected to SPAN.
A: Yes, Trustsec can be implemented with the Cisco Secure ACS to some extent. The Security Group Tags can be sent from ACS for authorization.
A: Yes, you can look at the failed authentications/report that provides network device information, the interface, and the MAC address of the end user device that failed authentication. The switches do track authentication sessions in monitor mode. However, for centralized visibility on all failed and passed authentication, the RADIUS server is the tool.
A: Monitor mode for TrustSec is in the road-map and not currently committed against a release. Right now, monitor mode is available only for dot1x.
A: MAB stands for Mac Authentication Bypass.
A: No. The interface template will be available in the 15.2(2)E Release that is due next quarter. The global identity template is a work in progress and is part of the road-map for the release due at the end of 2014. Contact me if you need a version for the global identity template.
A: Yes. Cisco has the 3000 series Netflow appliances. For more information, refer to the Cisco NetFlow Generation 3000 Series Appliances web page.
A: One way to do this is to use certificates issued by the Active Directory (AD) and make sure to verify the device certificate during login. The other way is to use MAC Authentication Bypass (MAB) for the device verification and the userid for the user verification.
You can also do this with Extensible Authentication Protocol (EAP) Chaining. Refer to TrustSec How-To Guide: Deploying EAP Chaining with AnyConnect NAM and Cisco ISE for more information.
A: Sourcefire Intrusion Prevention System (IPS) primarily performs perimeter security.
A: Yes, Cisco Prime Assurance has a Flexible NetFlow (FNF) collector.
Identity Services Engine (ISE):
A: No, Prime is the management tool, the Network Management Suite (NMS), and ISE is the policy server, which handles Authentication, Authorization, and Accounting (AAA).
A: No TrustSec is not obsolete.
A: You need 15.X for the Device sensor, which enables profiling in terms of efficiency. The ISE can profile for end points with various other means (SNMP, DHCP, HTTP) from switches with earlier versions too.
A: If profiling is done with a device-sensor, then only RADIUS packets are used. If you choose conventional methods, then the respective traffic type, like HTTP/SNMP/DHCP, has to be redirected to ISE, and if a firewall is in between, these packet types should be permitted.
A: It is already available for 3XK on all ports and service modules except the network modules with the IP Base license. For the Cisco Catalyst 3850 Series Switch, MACSec support (switch-switch) will be available in Q42014.
A: This session does not focus on the C4500X in particular.
A: For the Cisco Catalyst 3850/3650 Series Switches, MACSec is not available yet. However, its hardware-capable software release is planned in a later release at the end of this year.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: