Cisco ASA Series Cli Configuration Manual page 908
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Information About the ASA Integrated with Cisco TrustSec
•
Figure 1-1
(Access Requestors)
Implementing Cisco TrustSec allows for configuration of security policies supporting server
segmentation.
•
•
•
•
How the ASA Enforces Security Group Based Policies
Note
User-based security policies and security-group based policies, can coexist on the ASA. Any
combination of network, user-based and security-group based attributes can be configured in an security
policy. See
security policies.
As part of configuring the ASA to function with Cisco TrustSec, you must import a Protected Access
Credential (PAC) file from the ISE.
Importing the PAC file to the ASA establishes a secure communication channel with the ISE. After the
channel is established, the ASA initiates a PAC secure RADIUS transaction with the ISE and downloads
Cisco TrustSec environment data; specifically, the ASA downloads the security group table. The security
group table maps SGTs to security group names. Security group names are created on the ISE and
provide user-friendly names for security groups.
The first time the ASA downloads the security group table, it walks through all entries in the table and
resolves all the security group names contained in security policies configured on the ASA; then, the
ASA activates those security policies locally. If the ASA is unable to resolve a security group name, it
generates a system log message for the unknown security group name.
The following figure shows how a security policy is enforced in Cisco TrustSec.
Cisco ASA Series CLI Configuration Guide
1-4
User identity and resource identity are retained throughout the Cisco Trustsec capable switch
infrastructure.
Security Group Name Based Policy Enforcement Deployment
SXP
Access
Switch
End Points
A pool of servers can be assigned an SGT for simplified policy management.
The SGT information is retained within the infrastructure of Cisco Trustsec capable switches.
The ASA can leverage the IP-SGT mapping for policy enforcement across the Cisco TrustSec
domain.
Deployment simplification is possible because 802.1x authorization for servers is mandatory.
Chapter 1, "Configuring the Identity Firewall"
Chapter 1
Configuring the ASA to Integrate with Cisco TrustSec
SXP
ASA
Access
Switch
Corp servers
for information about configuring user-based
Importing a Protected Access Credential (PAC) File, page
Mktg servers
1-13.
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
