Roles In The Cisco Trustsec Feature; Security Group Policy Enforcement - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 6
ASA and Cisco TrustSec
Roles in the Cisco TrustSec Feature
To provide identity and policy-based access enforcement, the Cisco TrustSec feature includes the
following roles:
•
•
•
•
•
The Cisco ASA serves the PEP role in the identity architecture. Using SXP, the ASA learns identity
information directly from authentication points and uses it to enforce identity-based policies.
Security Group Policy Enforcement
Security policy enforcement is based on security group name. An endpoint device attempts to access a
resource in the data center. Compared to traditional IP-based policies configured on firewalls,
identity-based policies are configured based on user and device identities. For example, mktg-contractor
is allowed to access mktg-servers; mktg-corp-users are allowed to access mktg-server and corp-servers.
The benefits of this type of deployment include the following:
•
Access Requester (AR)—Access requesters are endpoint devices that request access to protected
resources in the network. They are primary subjects of the architecture and their access privilege
depends on their Identity credentials.
Access requesters include endpoint devices such PCs, laptops, mobile phones, printers, cameras,
and MACsec-capable IP phones.
Policy Decision Point (PDP)—A policy decision point is responsible for making access control
decisions. The PDP provides features such as 802.1x, MAB, and web authentication. The PDP
supports authorization and enforcement through VLAN, DACL, and security group access
(SGACL/SXP/SGT).
In the Cisco TrustSec feature, the Cisco Identity Services Engine (ISE) acts as the PDP. The Cisco
ISE provides identity and access control policy functionality.
Policy Information Point (PIP)—A policy information point is a source that provides external
information (for example, reputation, location, and LDAP attributes) to policy decision points.
Policy information points include devices such as Session Directory, Sensor IPS, and
Communication Manager.
Policy Administration Point (PAP)—A policy administration point defines and inserts policies into
the authorization system. The PAP acts as an identity repository by providing Cisco TrustSec
tag-to-user identity mapping and Cisco TrustSec tag-to-server resource mapping.
In the Cisco TrustSec feature, the Cisco Secure Access Control System (a policy server with
integrated 802.1x and SGT support) acts as the PAP.
Policy Enforcement Point (PEP)—A policy enforcement point is the entity that carries out the
decisions (policy rules and actions) made by the PDP for each AR. PEP devices learn identity
information through the primary communication path that exists across networks. PEP devices learn
the identity attributes of each AR from many sources, such as endpoint agents, authorization servers,
peer enforcement devices, and network flows. In turn, PEP devices use SXP to propagate IP-SGT
mapping to mutually trusted peer devices across the network.
Policy enforcement points include network devices such as Catalyst switches, routers, firewalls
(specifically the ASA), servers, VPN devices, and SAN devices.
User group and resource are defined and enforced using single object (SGT) simplified policy
management.
Cisco ASA Series Firewall CLI Configuration Guide
About Cisco TrustSec
6-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
