1-13
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
Configuring the ASA for Cisco TrustSec Integration
Examples
The following example shows how to configure the ASA to communicate with the ISE server for Cisco
TrustSec integration:
hostname(config)# aaa-server ISEserver protocol radius
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server ISEserver (inside) host 192.0.2.1
hostname(config-aaa-server-host)# key myexclusivemumblekey
hostname(config-aaa-server-host)# exit
hostname(config)# cts server-group ISEserver
Importing a Protected Access Credential (PAC) File
Importing the PAC file to the ASA establishes the connection with the ISE. After the channel is
established, the ASA initiates a secure RADIUS transaction with the ISE and downloads Cisco TrustSec
environment data; specifically, the ASA downloads the security group table. The security group table
maps SGTs to security group names. Security group names are created on the ISE and provide
user-friendly names for security groups.
More specifically, no channel is established prior to the radius transaction. The ASA simply initiates a
radius transaction with the ISE using the PAC for authentication
Tip The PAC file contains a shared key that allows the ASA and ISE to secure the RADIUS transactions that
occur between them. Given the sensitive nature of this key, it must be stored securely on the ASA.
After successfully importing the file, the ASA download Cisco TrustSec environment data from the ISE
without requiring the device password configured in the ISE.
Prerequisites
• The ASA must be configured as a recognized Cisco TrustSec network device in the ISE before the
ASA can generate a PAC file. The ASA can import any PAC file but it will only work on the ASA
when the file was generated by a properly configured ISE. See Registering the ASA with the ISE,
page 1-8.
• Obtain the password used to encrypt the PAC file when generating it on the ISE.
The ASA requires this password to import and decrypt the PAC file.
• Access to the PAC file generated by the ISE. The ASA can import the PAC from flash or from a
remote server via TFTP, FTP, HTTP, HTTPS, or SMB. (The PAC does not have to reside on the ASA
flash before you can import it.)
• The server group has been configured for the ASA.
Restrictions
• When the ASA is part of an HA configuration, you must import the PAC file to the primary ASA
device.
• When the ASA is part of a clustering configuration, you must import the PAC to the master device.
To Next Page
Loading...
Need help?
General