Cisco TrustSec on ASA Firewall

In a previous post Cisco TrustSec was discussed and enforcement implemented on Cisco CSR1000v router using Cisco ISE to dynamically classify the traffic. In this post we will implement enforcement on a Cisco ASA Firewall. Unlike a Cisco switch or router when configuring TrustSec enforcement, when using the ASA as the enforcement point the TrustSec matrix on ISE is not utilised. Instead the ASA downloads the CTS environment data (SGTs), these are defined in a normal ASA access list as the source and destination.

The advantage of using an ASA Firewall for TrustSec enforcement over a Cisco switch or router is that the ASA firewall rules are stateful, unlike the ACLs on a switch or router which are not stateful.

In this blog post we will setup a simple lab, using ISE and ASAv. ISE will be configured with TrustSec SGTs’, SXP and a basic Authorization Policy. Secure communication between the ASA and ISE will be established by the use of a PAC file (Protected Access Credential). The ASA will use this secure channel to authenticate and establish a radius connection to ISE to download the CTS environment data, which contains the SGT table. An SXP connection between ISE and ASA will be established to transfer the static SXP bindings (the servers in the DC) and the dynamically assigned bindings for the authenticated users.

Basic configuration of ISE is not covered in this post. The posts below describe in greater detail configuration of ISE and TrustSec:-

Initial Cisco ISE Configuration – Basic configuration ISE
Configured Wired 802.1x/MAB authentication with Cisco ISE – Configuring dot1x authentication on ISE
Cisco TrustSec Enforcement using Cisco ISE – ISE configuration and enforcement on a Cisco CSR1000v router

Continue reading “Cisco TrustSec on ASA Firewall”


Cisco ISE pxGrid integration with Firepower

Cisco ISE and Firepower can exchange attributes such as TrustSec SGT (Security Group Tag), endpoint profile information and IP address via pxGrid. These attributes can then be used in Firepower Access Control Policies to permit/deny access as required. In addition, this integration can also be used to quarantine users/hosts in the event the user performs a malicious activity. When Firepower detects the malicious activity this will match a correlation rule on the FMC, which instructs ISE to perform a remediation action such as sending a CoA (Change of Authorization) and quarantining the user by apply a DACL and/or applying a new SGT.

This post will describe how to configure the pxGrid integration between the FMC and ISE, it is assume that you already have a working ISE environment with users/computers authenticating using dot1x and a working Firepower FMC/FTD environment.

Refer to these previous ISE posts on how to configure ISE, dot1x authentication and more information about configuring TrustSec.

The following software versions were used:-

  • Firepower Management Centre
  • Firepower Threat Defence Virtual
  • Identity Services Engine 2.4
  • Windows Server 2008 R2 (Domain Controller and PKI)
  • Windows 7 Enterprise

Continue reading “Cisco ISE pxGrid integration with Firepower”

Cisco TrustSec Enforcement using Cisco ISE

Cisco TrustSec can be used to segment a network, it classifies traffic and assigns Security Group Tags (SGTs), these tags can be used to enforce (permit/deny traffic at any point in the network.

Classification of traffic can be performed dynamically by ISE depending on the users’ group membership, device type or health (posture) of the computer at time of authentication to the network. The SGTs are propagated throughout the network using 2 methods, inline tagging or SXP. Enforcement can be performed anywhere in the network on Cisco switches, routers, firewalls using a TrustSec Policy which can permit/deny traffic based on source/destination SGT.

In this blog post we will setup a simple lab, with an Access Layer Switch (Cisco Catalyst 3560) and an Enforcement Point (CSR1000v Router). Users will authenticate to the network using 802.1x with Cisco ISE (v2.4) as the RADIUS server, this will authorise the user and assign an SGT depending on AD group membership. This SGT will be downloaded to the Access Layer Switch, in turn using SXP, the switch will send the SGT binding to the Enforcement Point router. These SGTs will be used in a TrustSec Policy as the source.

The Servers will be manually classified using IP SGT Mappings on ISE and sent to the Enforcement Point using SXP, this SGT will be used in a TrustSec Policy as the destination.

A TrustSec Policy will be defined on ISE and downloaded to the Enforcement Point, and permit/deny traffic to the servers from Users’ SGT.

Continue reading “Cisco TrustSec Enforcement using Cisco ISE”