Cisco ASA Series Cli Configuration Manual page 907

Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
Roles in the Cisco TrustSec Solution
To provide identity and policy-based access enforcement, the Cisco TrustSec solution includes the
functionality:
•
•
•
•
•
The ASA serves the role of the PEP in the identity architecture. Using SXP, the ASA learns identity
information directly from authentication points and uses that to enforce identity-based policies.
Security Group Policy Enforcement
Security policy enforcement is based on security group name. An end-point device attempts to access a
resource in the data center. Compared to traditional IP-based policies configured on firewalls,
identity-based policies are configured based on user and device identities. For example, mktg-contractor
is allowed to access mktg-servers; mktg-corp-users are allowed to access mktg-server and corp-servers.
The benefits of this type of deployment include:
•
Access Requestor (AR): Access requestors are end-point devices that request access to protected
resources in the network. They are primary subjects of the architecture and their access privilege
depends on their Identity credentials.
Access requestors include end-point devices such PCs, laptops, mobile phones, printers, cameras,
and MACsec-capable IP phones.
Policy Decision Point (PDP): A policy decision point is responsible for making access control
decisions. The PDP provides features such as 802.1x, MAB, and Web authentication. The PDP
supports authorization and enforcement through VLAN, DACL, and security group access
(SGACL/SXP/SGT).
In the Cisco TrustSec solution, the Cisco Identity Services Engine (ISE) acts as the PDP. The Cisco
ISE provides identity and access control policy functionality.
Policy Information Point (PIP): A policy information point is a source that provides external
information (for example, reputation, location, and LDAP attributes) to policy decision points.
Policy information points include devices such as Session Directory, Sensors IPS, and
Communication Manager.
Policy Administration Point (PAP): A policy administration point defines and inserts policies into
authorization system. The PAP acts as an identity repository, by providing Cisco TrustSec tag to user
identity mapping and Cisco Trustsec tag to server resource mapping.
In the Cisco TrustSec solution, the Cisco Secure Access Control System (a policy server with
integrated 802.1x and SGT support) acts as the PAP.
Policy Enforcement Point (PEP): A policy enforcement point is the entity that carries out the
decisions (policy rules and actions) made by the PDP for each AR. PEP devices learn identity
information through the primary communication path that exists across networks. PEP devices learn
the identity attributes of each AR from many sources, such as end-point agents, authorization
servers, peer-enforcement devices, and network flows. In turn, PEP devices use SXP to propagate
IP-SGT mappings to mutually-trusted peer devices across the network.
Policy enforcement points include network devices such as Catalyst switches, routers, firewalls
(specifically the ASA), servers, VPN devices, and SAN devices.
User group and Resource is defined and enforced using single object (SGT) – simplified policy
management.
Information About the ASA Integrated with Cisco TrustSec
Cisco ASA Series CLI Configuration Guide
1-3