TrustSec Planning and Deployment Checklist

Table Of Contents

Planning Considerations

Security Policy Creation and Maintenance

Public Key Infrastructure (PKI)

Directory Services

Network Access Devices (NADs)

Managed Endpoints

Cisco Secure Access Control Server (ACS)

Guest Services

Monitoring, Reporting, and Troubleshooting

Communications

Support Desk

Deployment Checklist

Security Policy

Enforcement States

Digital Certificates

Network Services

Endpoints

Network Devices

Common TrustSec RADIUS Authorization Attributes

Test Scenarios

References

TrustSec 1.99 Documents

Related Documents

TrustSec Planning and Deployment Checklist

This checklist serves as a guide to help you understand the various components, technologies, and organizational efforts required for a successful Cisco TrustSec deployment. This document contains the following sections:

•Planning Considerations

•Deployment Checklist

•Test Scenarios

•References

Planning Considerations

Answering the following organizational and operational questions will help you understand some of the security requirements, business processes, and group dynamics that impact the integration and deployment of Cisco TrustSec in your network.

Security Policy Creation and Maintenance

[ ] Describe your desired network access policy. Include the authorization and handling of the following:

•Managed users including unique requirements for different groups and roles

•Unmanaged users—Contractors, extranets, labs, and so on

•Different access methods—Wired, wireless, VPN, virtual desktops, and so on

•Different locations—Sites, buildings, floors, and other locations

•Guests and visitors

•Agentless devices—IP phones, printers, and other devices

[ ] Is creating security policy and enforcing it performed by the same group within your organization or by different groups?

[ ] What does a quorum of policy decision-makers for making changes at your organization look like?

[ ] Will network access authorizations be based on endpoint or user identity, endpoint posture, or both?

Public Key Infrastructure (PKI)

Certificates should be based on the fully-qualified domain name (FQDN) of the ACS server. Self-signed certificates are not recommended for production deployments.

[ ] Have you already deployed an enterprise PKI? Which one?

[ ] If not, do you expect to install and manage a PKI or purchase individual certificates from a CA vendor?

[ ] What is the process at your organization for obtaining a digital certificate?

[ ] What is your annual budget per server certificate?

[ ] If unable to use public or enterprise CA-signed certificates, does your organization fully understand the long-term usability, support, migration, and scaling issues?

Directory Services

[ ] Will you require identity for network authorization?

[ ] Will you use username/passwords, digital certificates, tokens, all of the above, or something different?

[ ] Will you integrate with existing identity stores such as Microsoft Active Directory, LDAP, Novell, or ODBC?

[ ] Do you have multiple identity domains to authenticate against, and if so, how many?

[ ] Will your existing identity store clusters scale to support the load from network authentication?

Network Access Devices (NADs)

[ ] Which edges of your network do you want to authenticate with Cisco Secure ACS and RADIUS? Wired? Wireless? VPN? Remote offices?

[ ] Does your existing hardware support the desired 802.1X functionality? Must you upgrade?

[ ] Do you plan to upgrade from Cisco CatOS to Cisco IOS to get the latest 802.1X features?

[ ] Do your NADs have enough memory for the latest Cisco IOS images and security features, or is a RAM upgrade required?

Managed Endpoints

[ ] Do you have an inventory of the number and types of network endpoints on your network today?

[ ] Do you already use 802.1X supplicants from Cisco or Microsoft? Wired or wireless or both?

[ ] Will the desired 802.1X supplicant require a software purchase, upgrade, or OS service pack?

[ ] Which authentication types are required or preferred?Agentless Endpoints

[ ] Do you have a method for automatically identifying and authorizing agentless endpoints on your network?

[ ] Have you identified the total number of agentless devices and device types in your network, which can include the following?

•No 802.1X supplicant (unsupported or hardened OS, such as phones or printers)

•Pre-execution Environment (PXE) network booting and reimaging

•Otherwise unmanaged/uncontrolled devices (guests, labs, and so on)

[ ] What is your method of identifying, classifying, and authorizing agentless endpoints?

•Upgrade to 802.1X capabilities in hardware and/or OS

•Whitelisting in NAD per MAC or IP

•Whitelisting in ACS (MAC Authentication Bypass [MAB], MAC wildcards)

•Whitelisting in LDAP or other identity store or database

[ ] What is your budget for administrative and management costs for manual MAB or endpoint registration system?

Cisco Secure Access Control Server (ACS)

[ ] Cisco Secure ACS v5.2 + patch 3 is currently recommended. Will you need to upgrade or purchase?

[ ] How many ACSes will you need to scale the deployment based on your organization size, availability requirements, revalidation frequency, and protocol choice?

[ ] How will you replicate policy changes: manually, periodically, scheduled, instantly?

[ ] Will any load balancing hardware or software be necessary for handling high numbers of concurrent authorizations?

Guest Services

[ ] What is your security policy for guests, visitors, or employees that cannot authenticate via 802.1X or MAB?

[ ] If you want to allow guests, do you have an existing guest portal such as the Cisco NAC Guest Server?

[ ] Who will be allowed to sponsor the guest accounts? Lobby staff or any employee in your directory?

[ ] What are the various guest service profiles that sponsors will be allowed to provision?

[ ] Will session length be based on the time-of-day or time-from-first-login?

[ ] What information will you require guests to provide in exchange for network access?

[ ] How will you audit sponsors, provisioned accounts, and account usage?

Monitoring, Reporting, and Troubleshooting

[ ] What is your existing monitoring and reporting application or toolset?

[ ] What are the long-term storage requirements for all of these new logs and events?

Communications

It is best to clearly communicate a change in your network access policy so that users are not surprised by new security and software requirements, access restrictions, or URL redirections.

[ ] Do you have clear authority from management to block, limit, and redirect non-compliant endpoints and users?

[ ] Have you raised awareness by discussing the needs and benefits with stakeholders and users for changes in network access policy?

[ ] Are the responsible groups ready for a unified response to non-compliant users?

[ ] Have you communicated with all users via multiple channels including email, intranet, a remediation website, and support desks?

Support Desk

[ ] Is the support staff trained for the new security technology, process, and policy?

[ ] How will the support staff troubleshoot support calls related to ACS-based RADIUS authentications?

[ ] Is any internal tool or application development required for ACS-related support?

Deployment Checklist

Based on your answers to the questions above as well as your existing network architecture, complete the tables on the following pages. This will be needed for RADIUS-based access control configuration and will be a valuable reference that speeds initial configuration in your deployment.

Security Policy

Describe your major network access scenarios and how you will use contextual, network-based attributes to authorize them (see Table 1). The total unique authorization states will determine your final ACS authorization policies.

Table 1 Security Policy

Scenario	Who (User)	What (Endpoint)	Where (Location)	When (Time)	How (Authorization)
Employee	AD Domain Users	Windows XPSP3 supplicant	Any	Any	Allow_All

Enforcement States

From the unique authorization states you determined in Table 1, document the specific RADIUS attribute settings for each state (see Table 2). This will help you understand the subtle differences between each enforcement state and identify the number of unique ACLs you must create.

Table 2 Enforcement States

RADIUS Attribute	Allow_All
VLAN ID/Name	ACCESS
URL for Redirect	-
URL Redirect ACL	-
Downloadable ACL Name	ACL-ALLOW-ALL
Voice VLAN Permission	No
Reauthentication: Timer	28800 (8 hours)
Reauthentication: Maintain Connectivity	Yes

Digital Certificates

Create and use CA-signed certificates for your TrustSec infrastructure to minimize long-term problems due to untrusted, self-signed certificates (see Table 3).

Table 3 Digital Certificates

Component	FQDN	Org Unit	Org	City	State	Country (2 letter)	Key Size (max)	Cert Format
Certificate Authority
ACS
NAC Guest Server

Network Services

List all basic network services and the hosts that provide these services in your network (see Table 4). This will help with access control list (ACL) exceptions and TrustSec service configuration.

Table 4 Network Services

Role	DNS Names	Network Address(es)	Details
CA Server(s)
DNS Server(s)
DHCP Server(s)
NTP Server(s)
FTP Servers			username:password
Proxy Servers (to Internet)			username:password
TFTP/PXE Boot Servers			username:password
Syslog Servers			username:password
Identity Store: Active Directory			username:password
Identity Store: LDAP
Identity Store: OTP
ACS RADIUS Server			CLI: admin: password Web: acsadmin: password AD: username:password
NAC Guest Server		IP: eth0 MAC:	CLI: root:password Web: admin:password

Endpoints

How will all of the various network endpoints be authenticated when TrustSec is enabled? Possible authentication methods include 802.1X, MAB, and Web Authentication. Use Table 5 to record endpoint information.

Table 5 Endpoints 

Endpoint	Authentication Method	Notes
Windows XP SP# (Native Supplicant)
Windows Vista SP# (Native Supplicant)
Windows 7 (Native Supplicant)
Windows 7 (AnyConnect)
Windows XP SP3 (Secure Services Client)
Apple MacOSX 10.6.x (Native Supplicant)
Linux (No Supplicant)
Cisco 79xx Phones
Cisco APxxxx
Printers
Servers
Guests
PXE Boot

Network Devices

Document the network access devices in your network by model, supervisor (if appropriate), and software version (see Table 6). Each network device IP address must be added to ACS unless you use wildcard entries. It is highly recommended that you upgrade all switches to the latest tested and validated version in the Cisco Validated Design (CVD) to avoid feature and behavior inconsistencies.

Table 6 Network Devices

Model	Cisco IOS Version	Management IP Address	Management DNS Name

Common TrustSec RADIUS Authorization Attributes

Table 7 lists the most commonly used RADIUS attributes for TrustSec with campus access switches.

Table 7 Common TrustSec RADIUS Authorization Attributes 

Vendor Name	Attributes	Value	Description
IETF	Session-Timeout (27)	28800	8 hours
IETF	Idle-Timeout (28)	300	5 minutes
IETF	Termination-Action (29)	RADIUS-Request (1)	Maintain connection while re-authenticating
IETF	Tunnel-Type (64)	[T1] VLAN (13)
IETF	Tunnel-Medium-Type (65)	[T1] 802 (6)
IETF	Tunnel-Private-Group-ID (81)	[T1] <name or number>	VLAN name or number
Cisco	cisco-av-pair (1)	device-traffic-class=voice	Enable Voice Domain
Cisco	cisco-av-pair (1)	url-redirect= http://server.mycompany.com/directory/file.html	Redirection URL
Cisco	cisco-av-pair (1)	url-redirect-acl=url_redir_acl	ACL to match URL redirection or not

Test Scenarios

Based on your security policy, anticipated endpoints, and enforcement states, create a list of scenarios to test in your lab or small proof-of-concept deployment before production deployment. Table 8 lists some suggested scenarios to get you started.

Table 8 Test Scenarios

Scenario	Notes (Pass/Fail/Other)
802.1X
802.1X allows host to join Windows domain
802.1X machine authentication
802.1X user login to Windows domain
802.1X sngle sign on (SSO): username/password
802.1X user-initiated password change
802.1X Active Directory required user password change
802.1X login successful for all user groups and VLANs
Guest sponsorship
Guest access
Supplicants
Validate VLAN changes for ACCESS <=> GUEST (if used)
EAPoL-Logoff sent on user logoff
EAPoL-Start sent on new user logon
GPOs works for wired
Login scripts work
SSO works for wired
New machine can join domain with supplicant
New AD user can login on host
Cisco ACS
ACS access service: 802.1X
ACS access service: machine authentication
Appliance: remote syslog
Replication configuration and success
Verify existing AAA infrastructure works on new ACSes
ACS redundancy: RADIUS failover to secondary ACS
AD redundancy: ACS failover to secondary domain controller

References

TrustSec 1.99 Documents

•Wired 802.1X Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html

•IP Telephony for 802.1X Design Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html

•MAC Authentication Bypass Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/MAB/MAB_Dep_Guide.html

•TrustSec Phased Deployment Configuration Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Phased_Deploy/Phased_Dep_Guide.html

•Local WebAuth Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html

•Scenario-Based TrustSec Deployments Application Note— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Scenario_based_AppNote/Scenario_based_AN.html

•TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/FlexAuthNote/flexauth-note.html

•TrustSec Planning and Deployment Checklist— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/TrustSec_Checklist/trustsec-199_checklist.html

Related Documents

•Configuring WebAuth on the Cisco Catalyst 3750 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html

•Configuring WebAuth on the Cisco Catalyst 4500 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/12.2/53SG/configuration/webauth.html

•Configuring WebAuth on the Cisco Catalyst 6500 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/webauth.html

•Cisco IOS Firewall authentication proxy— http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094eb0.shtml

•WebAuth with Cisco Wireless LAN Controllers— http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml#external-process