Cisco ASA Series Cli Configuration Manual page 917
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring the ASA to Integrate with Cisco TrustSec
Examples
The following example shows how to configure the ASA to communicate with the ISE server for Cisco
TrustSec integration:
hostname(config)# aaa-server ISEserver protocol radius
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server ISEserver (inside) host 192.0.2.1
hostname(config-aaa-server-host)# key myexclusivemumblekey
hostname(config-aaa-server-host)# exit
hostname(config)# cts server-group ISEserver
Importing a Protected Access Credential (PAC) File
Importing the PAC file to the ASA establishes the connection with the ISE. After the channel is
established, the ASA initiates a secure RADIUS transaction with the ISE and downloads Cisco TrustSec
environment data; specifically, the ASA downloads the security group table. The security group table
maps SGTs to security group names. Security group names are created on the ISE and provide
user-friendly names for security groups.
More specifically, no channel is established prior to the radius transaction. The ASA simply initiates a
radius transaction with the ISE using the PAC for authentication
Tip
The PAC file contains a shared key that allows the ASA and ISE to secure the RADIUS transactions that
occur between them. Given the sensitive nature of this key, it must be stored securely on the ASA.
After successfully importing the file, the ASA download Cisco TrustSec environment data from the ISE
without requiring the device password configured in the ISE.
Prerequisites
•
•
•
•
Restrictions
•
•
The ASA must be configured as a recognized Cisco TrustSec network device in the ISE before the
ASA can generate a PAC file. The ASA can import any PAC file but it will only work on the ASA
when the file was generated by a properly configured ISE. See
page
1-8.
Obtain the password used to encrypt the PAC file when generating it on the ISE.
The ASA requires this password to import and decrypt the PAC file.
Access to the PAC file generated by the ISE. The ASA can import the PAC from flash or from a
remote server via TFTP, FTP, HTTP, HTTPS, or SMB. (The PAC does not have to reside on the ASA
flash before you can import it.)
The server group has been configured for the ASA.
When the ASA is part of an HA configuration, you must import the PAC file to the primary ASA
device.
When the ASA is part of a clustering configuration, you must import the PAC to the master device.
Configuring the ASA for Cisco TrustSec Integration
Registering the ASA with the ISE,
Cisco ASA Series CLI Configuration Guide
1-13
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
