Table Of Contents
TrustSec Planning and Deployment Checklist
This checklist serves as a guide to help you understand the various components, technologies, and organizational efforts required for a successful Cisco TrustSec deployment. This document contains the following sections:
Answering the following organizational and operational questions will help you understand some of the security requirements, business processes, and group dynamics that impact the integration and deployment of Cisco TrustSec in your network.
Security Policy Creation and Maintenance
[ ] Describe your desired network access policy. Include the authorization and handling of the following:
•Managed users including unique requirements for different groups and roles
•Unmanaged users—Contractors, extranets, labs, and so on
•Different access methods—Wired, wireless, VPN, virtual desktops, and so on
•Different locations—Sites, buildings, floors, and other locations
•Guests and visitors
•Agentless devices—IP phones, printers, and other devices
[ ] Is creating security policy and enforcing it performed by the same group within your organization or by different groups?
[ ] What does a quorum of policy decision-makers for making changes at your organization look like?
[ ] Will network access authorizations be based on endpoint or user identity, endpoint posture, or both?
Public Key Infrastructure (PKI)
Certificates should be based on the fully-qualified domain name (FQDN) of the ACS server. Self-signed certificates are not recommended for production deployments.
[ ] Have you already deployed an enterprise PKI? Which one?
[ ] If not, do you expect to install and manage a PKI or purchase individual certificates from a CA vendor?
[ ] What is the process at your organization for obtaining a digital certificate?
[ ] What is your annual budget per server certificate?
[ ] If unable to use public or enterprise CA-signed certificates, does your organization fully understand the long-term usability, support, migration, and scaling issues?
[ ] Will you require identity for network authorization?
[ ] Will you use username/passwords, digital certificates, tokens, all of the above, or something different?
[ ] Will you integrate with existing identity stores such as Microsoft Active Directory, LDAP, Novell, or ODBC?
[ ] Do you have multiple identity domains to authenticate against, and if so, how many?
[ ] Will your existing identity store clusters scale to support the load from network authentication?
Network Access Devices (NADs)
[ ] Which edges of your network do you want to authenticate with Cisco Secure ACS and RADIUS? Wired? Wireless? VPN? Remote offices?
[ ] Does your existing hardware support the desired 802.1X functionality? Must you upgrade?
[ ] Do you plan to upgrade from Cisco CatOS to Cisco IOS to get the latest 802.1X features?
[ ] Do your NADs have enough memory for the latest Cisco IOS images and security features, or is a RAM upgrade required?
[ ] Do you have an inventory of the number and types of network endpoints on your network today?
[ ] Do you already use 802.1X supplicants from Cisco or Microsoft? Wired or wireless or both?
[ ] Will the desired 802.1X supplicant require a software purchase, upgrade, or OS service pack?
[ ] Which authentication types are required or preferred?Agentless Endpoints
[ ] Do you have a method for automatically identifying and authorizing agentless endpoints on your network?
[ ] Have you identified the total number of agentless devices and device types in your network, which can include the following?
•No 802.1X supplicant (unsupported or hardened OS, such as phones or printers)
•Pre-execution Environment (PXE) network booting and reimaging
•Otherwise unmanaged/uncontrolled devices (guests, labs, and so on)
[ ] What is your method of identifying, classifying, and authorizing agentless endpoints?
•Upgrade to 802.1X capabilities in hardware and/or OS
•Whitelisting in NAD per MAC or IP
•Whitelisting in ACS (MAC Authentication Bypass [MAB], MAC wildcards)
•Whitelisting in LDAP or other identity store or database
[ ] What is your budget for administrative and management costs for manual MAB or endpoint registration system?
Cisco Secure Access Control Server (ACS)
[ ] Cisco Secure ACS v5.2 + patch 3 is currently recommended. Will you need to upgrade or purchase?
[ ] How many ACSes will you need to scale the deployment based on your organization size, availability requirements, revalidation frequency, and protocol choice?
[ ] How will you replicate policy changes: manually, periodically, scheduled, instantly?
[ ] Will any load balancing hardware or software be necessary for handling high numbers of concurrent authorizations?
[ ] What is your security policy for guests, visitors, or employees that cannot authenticate via 802.1X or MAB?
[ ] If you want to allow guests, do you have an existing guest portal such as the Cisco NAC Guest Server?
[ ] Who will be allowed to sponsor the guest accounts? Lobby staff or any employee in your directory?
[ ] What are the various guest service profiles that sponsors will be allowed to provision?
[ ] Will session length be based on the time-of-day or time-from-first-login?
[ ] What information will you require guests to provide in exchange for network access?
[ ] How will you audit sponsors, provisioned accounts, and account usage?
Monitoring, Reporting, and Troubleshooting
[ ] What is your existing monitoring and reporting application or toolset?
[ ] What are the long-term storage requirements for all of these new logs and events?
It is best to clearly communicate a change in your network access policy so that users are not surprised by new security and software requirements, access restrictions, or URL redirections.
[ ] Do you have clear authority from management to block, limit, and redirect non-compliant endpoints and users?
[ ] Have you raised awareness by discussing the needs and benefits with stakeholders and users for changes in network access policy?
[ ] Are the responsible groups ready for a unified response to non-compliant users?
[ ] Have you communicated with all users via multiple channels including email, intranet, a remediation website, and support desks?
[ ] Is the support staff trained for the new security technology, process, and policy?
[ ] How will the support staff troubleshoot support calls related to ACS-based RADIUS authentications?
[ ] Is any internal tool or application development required for ACS-related support?
Based on your answers to the questions above as well as your existing network architecture, complete the tables on the following pages. This will be needed for RADIUS-based access control configuration and will be a valuable reference that speeds initial configuration in your deployment.
Describe your major network access scenarios and how you will use contextual, network-based attributes to authorize them (see Table 1). The total unique authorization states will determine your final ACS authorization policies.
Table 1 Security Policy
Scenario Who (User) What (Endpoint) Where (Location) When (Time) How (Authorization)
AD Domain Users
Windows XPSP3 supplicant
From the unique authorization states you determined in Table 1, document the specific RADIUS attribute settings for each state (see Table 2). This will help you understand the subtle differences between each enforcement state and identify the number of unique ACLs you must create.
Create and use CA-signed certificates for your TrustSec infrastructure to minimize long-term problems due to untrusted, self-signed certificates (see Table 3).
Table 3 Digital Certificates
Component FQDN Org Unit Org City State Country(2 letter) Key Size
NAC Guest Server
List all basic network services and the hosts that provide these services in your network (see Table 4). This will help with access control list (ACL) exceptions and TrustSec service configuration.
How will all of the various network endpoints be authenticated when TrustSec is enabled? Possible authentication methods include 802.1X, MAB, and Web Authentication. Use Table 5 to record endpoint information.
Document the network access devices in your network by model, supervisor (if appropriate), and software version (see Table 6). Each network device IP address must be added to ACS unless you use wildcard entries. It is highly recommended that you upgrade all switches to the latest tested and validated version in the Cisco Validated Design (CVD) to avoid feature and behavior inconsistencies.
Common TrustSec RADIUS Authorization Attributes
Table 7 lists the most commonly used RADIUS attributes for TrustSec with campus access switches.
Based on your security policy, anticipated endpoints, and enforcement states, create a list of scenarios to test in your lab or small proof-of-concept deployment before production deployment. Table 8 lists some suggested scenarios to get you started.
TrustSec 1.99 Documents
•Wired 802.1X Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html
•IP Telephony for 802.1X Design Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html
•MAC Authentication Bypass Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/MAB/MAB_Dep_Guide.html
•TrustSec Phased Deployment Configuration Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Phased_Deploy/Phased_Dep_Guide.html
•Local WebAuth Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html
•Scenario-Based TrustSec Deployments Application Note— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Scenario_based_AppNote/Scenario_based_AN.html
•TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/FlexAuthNote/flexauth-note.html
•TrustSec Planning and Deployment Checklist— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/TrustSec_Checklist/trustsec-199_checklist.html
•Configuring WebAuth on the Cisco Catalyst 3750 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html
•Configuring WebAuth on the Cisco Catalyst 4500 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/12.2/53SG/configuration/webauth.html
•Configuring WebAuth on the Cisco Catalyst 6500 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/webauth.html
•Cisco IOS Firewall authentication proxy— http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094eb0.shtml
•WebAuth with Cisco Wireless LAN Controllers— http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml#external-process