Cisco TrustSec is a system of multiple Cisco® products deployed to secure the access layer. The main types of access layer include WLAN, LAN, and VPN. WLANs have Service Set Identifiers (SSIDs), which endpoints or users select and use for access. A typical network has a guest SSID that provides Internet access only and an internal SSID through which access to the internal network is provisioned. The other benefit of SSID is that the IT team can decide to deploy a more secured WLAN by setting up new SSID and directing selected users to the newly created SSID for evaluation purposes.

With the LAN access layer, a single interface has to deal with different endpoints and users; there is no concept of SSIDs in LAN switchports. So when the interface is enabled with TrustSec, it must be able to address different endpoints and users without the benefit of the SSIDs that are used in WLANs. On the wired access ports, switches or network access devices (NADs) are responsible for enforcing permissions based on credentials provided by endpoints. When 802.1X is enabled on the interface, the TrustSec system expects the endpoint to provide credentials to access the network. However, not all endpoints on the network support 802.1X. For instance, certain legacy devices on the network, such as printers, fax machines, and IP cameras, may not support 802.1X and are therefore denied access. Also, when you enable 802.1X on the switchport, the switchport may enforce a single-device-per-interface standard policy, which is likely to interfere with how the network is used by users. If switchports are enabled with 802.1X without consideration of such use cases, users with IP phones or unmanaged hubs will have trouble connecting to the network.

You can resolve all of these challenges by following a phased approach to TrustSec deployment. With a phased deployment, you can provide secure network services with little-to-no impact on end users.

As the image below illustrates, the three main TrustSec deployment phases are Monitor Mode, Low-Impact Mode, and Closed Mode. Deploying Monitor Mode first allows the administrator to step through all the issues, gaining visibility into successful and failed authentications, with minimal impact to the users and endpoints. Once issues have been addressed through Monitor Mode in Phase 1, you can provide secured network access in Phase 2 through Low-Impact Mode or Closed Mode.