EasyManuals Logo
Home>Cisco>Network Hardware>ASA Series

Cisco ASA Series User Manual

Cisco ASA Series
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #908 background imageLoading...
Page #908 background image
1-4
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
Information About the ASA Integrated with Cisco TrustSec
User identity and resource identity are retained throughout the Cisco Trustsec capable switch
infrastructure.
Figure 1-1 Security Group Name Based Policy Enforcement Deployment
Implementing Cisco TrustSec allows for configuration of security policies supporting server
segmentation.
A pool of servers can be assigned an SGT for simplified policy management.
The SGT information is retained within the infrastructure of Cisco Trustsec capable switches.
The ASA can leverage the IP-SGT mapping for policy enforcement across the Cisco TrustSec
domain.
Deployment simplification is possible because 802.1x authorization for servers is mandatory.
How the ASA Enforces Security Group Based Policies
Note User-based security policies and security-group based policies, can coexist on the ASA. Any
combination of network, user-based and security-group based attributes can be configured in an security
policy. See Chapter 1, “Configuring the Identity Firewall” for information about configuring user-based
security policies.
As part of configuring the ASA to function with Cisco TrustSec, you must import a Protected Access
Credential (PAC) file from the ISE. Importing a Protected Access Credential (PAC) File, page 1-13.
Importing the PAC file to the ASA establishes a secure communication channel with the ISE. After the
channel is established, the ASA initiates a PAC secure RADIUS transaction with the ISE and downloads
Cisco TrustSec environment data; specifically, the ASA downloads the security group table. The security
group table maps SGTs to security group names. Security group names are created on the ISE and
provide user-friendly names for security groups.
The first time the ASA downloads the security group table, it walks through all entries in the table and
resolves all the security group names contained in security policies configured on the ASA; then, the
ASA activates those security policies locally. If the ASA is unable to resolve a security group name, it
generates a system log message for the unknown security group name.
The following figure shows how a security policy is enforced in Cisco TrustSec.
ASA
End Points
(Access Requestors)
Access
Switch
Access
Switch
304015
SXP SXP
Mktg servers
Corp servers

Table of Contents

Other manuals for Cisco ASA Series

Preview: Configuration Guide
Configuration Guide428 pages
Preview: Mount And Connect
Mount And Connect12 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
BrandCisco
ModelASA Series
CategoryNetwork Hardware
LanguageEnglish

Related product manuals