TrustSec Planning and Deployment Checklist

  • Viewing Options

  • PDF (338.8 KB)
  • Feedback
TrustSec Planning and Deployment Checklist

Table Of Contents

Planning Considerations

Security Policy Creation and Maintenance

Public Key Infrastructure (PKI)

Directory Services

Network Access Devices (NADs)

Managed Endpoints

Cisco Secure Access Control Server (ACS)

Guest Services

Monitoring, Reporting, and Troubleshooting


Support Desk

Deployment Checklist

Security Policy

Enforcement States

Digital Certificates

Network Services


Network Devices

Common TrustSec RADIUS Authorization Attributes

Test Scenarios


TrustSec 1.99 Documents

Related Documents

TrustSec Planning and Deployment Checklist

This checklist serves as a guide to help you understand the various components, technologies, and organizational efforts required for a successful Cisco TrustSec deployment. This document contains the following sections:

Planning Considerations

Deployment Checklist

Test Scenarios


Planning Considerations

Answering the following organizational and operational questions will help you understand some of the security requirements, business processes, and group dynamics that impact the integration and deployment of Cisco TrustSec in your network.

Security Policy Creation and Maintenance

[ ] Describe your desired network access policy. Include the authorization and handling of the following:

Managed users including unique requirements for different groups and roles

Unmanaged users—Contractors, extranets, labs, and so on

Different access methods—Wired, wireless, VPN, virtual desktops, and so on

Different locations—Sites, buildings, floors, and other locations

Guests and visitors

Agentless devices—IP phones, printers, and other devices

[ ] Is creating security policy and enforcing it performed by the same group within your organization or by different groups?

[ ] What does a quorum of policy decision-makers for making changes at your organization look like?

[ ] Will network access authorizations be based on endpoint or user identity, endpoint posture, or both?

Public Key Infrastructure (PKI)

Certificates should be based on the fully-qualified domain name (FQDN) of the ACS server. Self-signed certificates are not recommended for production deployments.

[ ] Have you already deployed an enterprise PKI? Which one?

[ ] If not, do you expect to install and manage a PKI or purchase individual certificates from a CA vendor?

[ ] What is the process at your organization for obtaining a digital certificate?

[ ] What is your annual budget per server certificate?

[ ] If unable to use public or enterprise CA-signed certificates, does your organization fully understand the long-term usability, support, migration, and scaling issues?

Directory Services

[ ] Will you require identity for network authorization?

[ ] Will you use username/passwords, digital certificates, tokens, all of the above, or something different?

[ ] Will you integrate with existing identity stores such as Microsoft Active Directory, LDAP, Novell, or ODBC?

[ ] Do you have multiple identity domains to authenticate against, and if so, how many?

[ ] Will your existing identity store clusters scale to support the load from network authentication?

Network Access Devices (NADs)

[ ] Which edges of your network do you want to authenticate with Cisco Secure ACS and RADIUS? Wired? Wireless? VPN? Remote offices?

[ ] Does your existing hardware support the desired 802.1X functionality? Must you upgrade?

[ ] Do you plan to upgrade from Cisco CatOS to Cisco IOS to get the latest 802.1X features?

[ ] Do your NADs have enough memory for the latest Cisco IOS images and security features, or is a RAM upgrade required?

Managed Endpoints

[ ] Do you have an inventory of the number and types of network endpoints on your network today?

[ ] Do you already use 802.1X supplicants from Cisco or Microsoft? Wired or wireless or both?

[ ] Will the desired 802.1X supplicant require a software purchase, upgrade, or OS service pack?

[ ] Which authentication types are required or preferred?Agentless Endpoints

[ ] Do you have a method for automatically identifying and authorizing agentless endpoints on your network?

[ ] Have you identified the total number of agentless devices and device types in your network, which can include the following?

No 802.1X supplicant (unsupported or hardened OS, such as phones or printers)

Pre-execution Environment (PXE) network booting and reimaging

Otherwise unmanaged/uncontrolled devices (guests, labs, and so on)

[ ] What is your method of identifying, classifying, and authorizing agentless endpoints?

Upgrade to 802.1X capabilities in hardware and/or OS

Whitelisting in NAD per MAC or IP

Whitelisting in ACS (MAC Authentication Bypass [MAB], MAC wildcards)

Whitelisting in LDAP or other identity store or database

[ ] What is your budget for administrative and management costs for manual MAB or endpoint registration system?

Cisco Secure Access Control Server (ACS)

[ ] Cisco Secure ACS v5.2 + patch 3 is currently recommended. Will you need to upgrade or purchase?

[ ] How many ACSes will you need to scale the deployment based on your organization size, availability requirements, revalidation frequency, and protocol choice?

[ ] How will you replicate policy changes: manually, periodically, scheduled, instantly?

[ ] Will any load balancing hardware or software be necessary for handling high numbers of concurrent authorizations?

Guest Services

[ ] What is your security policy for guests, visitors, or employees that cannot authenticate via 802.1X or MAB?

[ ] If you want to allow guests, do you have an existing guest portal such as the Cisco NAC Guest Server?

[ ] Who will be allowed to sponsor the guest accounts? Lobby staff or any employee in your directory?

[ ] What are the various guest service profiles that sponsors will be allowed to provision?

[ ] Will session length be based on the time-of-day or time-from-first-login?

[ ] What information will you require guests to provide in exchange for network access?

[ ] How will you audit sponsors, provisioned accounts, and account usage?

Monitoring, Reporting, and Troubleshooting

[ ] What is your existing monitoring and reporting application or toolset?

[ ] What are the long-term storage requirements for all of these new logs and events?


It is best to clearly communicate a change in your network access policy so that users are not surprised by new security and software requirements, access restrictions, or URL redirections.

[ ] Do you have clear authority from management to block, limit, and redirect non-compliant endpoints and users?

[ ] Have you raised awareness by discussing the needs and benefits with stakeholders and users for changes in network access policy?

[ ] Are the responsible groups ready for a unified response to non-compliant users?

[ ] Have you communicated with all users via multiple channels including email, intranet, a remediation website, and support desks?

Support Desk

[ ] Is the support staff trained for the new security technology, process, and policy?

[ ] How will the support staff troubleshoot support calls related to ACS-based RADIUS authentications?

[ ] Is any internal tool or application development required for ACS-related support?

Deployment Checklist

Based on your answers to the questions above as well as your existing network architecture, complete the tables on the following pages. This will be needed for RADIUS-based access control configuration and will be a valuable reference that speeds initial configuration in your deployment.

Security Policy

Describe your major network access scenarios and how you will use contextual, network-based attributes to authorize them (see Table 1). The total unique authorization states will determine your final ACS authorization policies.

Table 1 Security Policy

Who (User)
What (Endpoint)
Where (Location)
When (Time)
How (Authorization)


AD Domain Users

Windows XPSP3 supplicant





Enforcement States

From the unique authorization states you determined in Table 1, document the specific RADIUS attribute settings for each state (see Table 2). This will help you understand the subtle differences between each enforcement state and identify the number of unique ACLs you must create.

Table 2 Enforcement States

RADIUS Attribute




URL for Redirect



URL Redirect ACL



Downloadable ACL Name



Voice VLAN Permission



Reauthentication: Timer

28800 (8 hours)


Maintain Connectivity



Digital Certificates

Create and use CA-signed certificates for your TrustSec infrastructure to minimize long-term problems due to untrusted, self-signed certificates (see Table 3).

Table 3 Digital Certificates

Org Unit
(2 letter)
Key Size

Certificate Authority




NAC Guest Server


Network Services

List all basic network services and the hosts that provide these services in your network (see Table 4). This will help with access control list (ACL) exceptions and TrustSec service configuration.

Table 4 Network Services

DNS Names
Network Address(es)

CA Server(s)


DNS Server(s)


DHCP Server(s)


NTP Server(s)


FTP Servers



Proxy Servers (to Internet)



TFTP/PXE Boot Servers



Syslog Servers



Identity Store: Active Directory



Identity Store: LDAP


Identity Store: OTP




CLI: admin: password

Web: acsadmin: password

AD: username:password

NAC Guest Server


IP: eth0 MAC:

CLI: root:password

Web: admin:password


How will all of the various network endpoints be authenticated when TrustSec is enabled? Possible authentication methods include 802.1X, MAB, and Web Authentication. Use Table 5 to record endpoint information.

Table 5 Endpoints 

Authentication Method

Windows XP SP# (Native Supplicant)


Windows Vista SP# (Native Supplicant)


Windows 7 (Native Supplicant)


Windows 7 (AnyConnect)


Windows XP SP3 (Secure Services Client)


Apple MacOSX 10.6.x (Native Supplicant)


Linux (No Supplicant)


Cisco 79xx Phones


Cisco APxxxx








PXE Boot


Network Devices

Document the network access devices in your network by model, supervisor (if appropriate), and software version (see Table 6). Each network device IP address must be added to ACS unless you use wildcard entries. It is highly recommended that you upgrade all switches to the latest tested and validated version in the Cisco Validated Design (CVD) to avoid feature and behavior inconsistencies.

Table 6 Network Devices

Cisco IOS Version
IP Address
DNS Name

Common TrustSec RADIUS Authorization Attributes

Table 7 lists the most commonly used RADIUS attributes for TrustSec with campus access switches.

Table 7 Common TrustSec RADIUS Authorization Attributes 

Vendor Name


Session-Timeout (27)


8 hours


Idle-Timeout (28)


5 minutes


Termination-Action (29)

RADIUS-Request (1)

Maintain connection while re-authenticating


Tunnel-Type (64)

[T1] VLAN (13)



Tunnel-Medium-Type (65)

[T1] 802 (6)



Tunnel-Private-Group-ID (81)

[T1] <name or number>

VLAN name or number


cisco-av-pair (1)


Enable Voice Domain


cisco-av-pair (1)


Redirection URL


cisco-av-pair (1)


ACL to match URL redirection or not

Test Scenarios

Based on your security policy, anticipated endpoints, and enforcement states, create a list of scenarios to test in your lab or small proof-of-concept deployment before production deployment. Table 8 lists some suggested scenarios to get you started.

Table 8 Test Scenarios

Notes (Pass/Fail/Other)

802.1X allows host to join Windows domain

802.1X machine authentication


802.1X user login to Windows domain

802.1X sngle sign on (SSO): username/password

802.1X user-initiated password change

802.1X Active Directory required user password change

802.1X login successful for all user groups and VLANs

Guest sponsorship

Guest access


Validate VLAN changes for ACCESS <=> GUEST (if used)


EAPoL-Logoff sent on user logoff


EAPoL-Start sent on new user logon


GPOs works for wired


Login scripts work


SSO works for wired


New machine can join domain with supplicant


New AD user can login on host

Cisco ACS

ACS access service: 802.1X

ACS access service: machine authentication

Appliance: remote syslog

Replication configuration and success

Verify existing AAA infrastructure works on new ACSes


ACS redundancy: RADIUS failover to secondary ACS

AD redundancy: ACS failover to secondary domain controller


TrustSec 1.99 Documents

Wired 802.1X Deployment Guide—

IP Telephony for 802.1X Design Guide—

MAC Authentication Bypass Deployment Guide—

TrustSec Phased Deployment Configuration Guide—

Local WebAuth Deployment Guide—

Scenario-Based TrustSec Deployments Application Note—

TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication—

TrustSec Planning and Deployment Checklist—

Related Documents

Configuring WebAuth on the Cisco Catalyst 3750 Series Switches—

Configuring WebAuth on the Cisco Catalyst 4500 Series Switches—

Configuring WebAuth on the Cisco Catalyst 6500 Series Switches—

Cisco IOS Firewall authentication proxy—

WebAuth with Cisco Wireless LAN Controllers—