https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167465#M591515 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>. Although Cisco does not officially mention (based on your first link you have provided) supportability of RADIUS Cisco AVP's <STRONG>CTS Request</STRONG> push from ISE to ASA, but, based on testing this situation in my lab, the following event occurs after ISE pushes CoA to ASA:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rezaalikhani_0-1724917330706.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/227285iCFC359A43C5F6B40/image-size/medium?v=v2&amp;px=400" role="button" title="rezaalikhani_0-1724917330706.png" alt="rezaalikhani_0-1724917330706.png" /></span></P><P>From ASA perspective:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rezaalikhani_1-1724917433019.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/227286i7DA04CC0CC37725B/image-size/large?v=v2&amp;px=999" role="button" title="rezaalikhani_1-1724917433019.png" alt="rezaalikhani_1-1724917433019.png" /></span></P><P>As you can see above, although ASA has received the <STRONG>CoA Request</STRONG> from ISE (192.168.10.120), it does not respond back.&nbsp;</P><P>&nbsp;</P> Thu, 29 Aug 2024 07:50:59 GMT rezaalikhani 2024-08-29T07:50:59Z https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5166246#M591416 <P>Hi all;</P><P>Based on Cisco's published documents, everywhere Cisco explains about configuring TrustSec settings for ASA in ISE, the documents omit the CoA configuration. For example:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1000.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/227108iC4AA67416724A935/image-size/large?v=v2&amp;px=999" role="button" title="1000.png" alt="1000.png" /></span></P><P>Does Cisco ASA support pushing TrustSec configuration from ISE side?</P><P>Thanks&nbsp;</P> Tue, 27 Aug 2024 04:24:06 GMT https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5166246#M591416 rezaalikhani 2024-08-27T04:24:06Z https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5166270#M591420 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/146869">@rezaalikhani</a> you need to manually import a PAC file to the ASA, generated from ISE. With the PAC file installed the ASA a secure connection to ISE is established to download the TrustSec data. The IP/SGT bindings must be exchanged using SXP.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/firewall/asa-920-firewall-config/access-trustsec.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/firewall/asa-920-firewall-config/access-trustsec.html</A></P> <P><A href="https://integratingit.wordpress.com/2019/01/26/cisco-trustsec-on-asa-firewall/" target="_blank" rel="noopener">https://integratingit.wordpress.com/2019/01/26/cisco-trustsec-on-asa-firewall/</A></P> <P>&nbsp;</P> Tue, 27 Aug 2024 12:05:32 GMT https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5166270#M591420 Rob Ingram 2024-08-27T12:05:32Z https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5166465#M591430 <P>It's a much better experience to migrate to Firepower and use pxGrid to exchange SGT info instead.&nbsp; Is there a requirement to still use an ASA?</P> Tue, 27 Aug 2024 11:57:11 GMT https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5166465#M591430 ahollifield 2024-08-27T11:57:11Z https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167465#M591515 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>. Although Cisco does not officially mention (based on your first link you have provided) supportability of RADIUS Cisco AVP's <STRONG>CTS Request</STRONG> push from ISE to ASA, but, based on testing this situation in my lab, the following event occurs after ISE pushes CoA to ASA:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rezaalikhani_0-1724917330706.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/227285iCFC359A43C5F6B40/image-size/medium?v=v2&amp;px=400" role="button" title="rezaalikhani_0-1724917330706.png" alt="rezaalikhani_0-1724917330706.png" /></span></P><P>From ASA perspective:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rezaalikhani_1-1724917433019.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/227286i7DA04CC0CC37725B/image-size/large?v=v2&amp;px=999" role="button" title="rezaalikhani_1-1724917433019.png" alt="rezaalikhani_1-1724917433019.png" /></span></P><P>As you can see above, although ASA has received the <STRONG>CoA Request</STRONG> from ISE (192.168.10.120), it does not respond back.&nbsp;</P><P>&nbsp;</P> Thu, 29 Aug 2024 07:50:59 GMT https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167465#M591515 rezaalikhani 2024-08-29T07:50:59Z https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167467#M591516 <P>Just for learning purpose...</P> Thu, 29 Aug 2024 07:51:55 GMT https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167467#M591516 rezaalikhani 2024-08-29T07:51:55Z https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167487#M591520 <P>Hi<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/146869">@rezaalikhani</a> I believe CoA is only supported on the ASA for posture and not TrustSec integration. The guide above was for the latest version 9.20, so if that does not state CoA is supported it probably is not. The release notes for all ASA versions seem to confirm that also.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html</A></P> <P>&nbsp;</P> Thu, 29 Aug 2024 08:15:00 GMT https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167487#M591520 Rob Ingram 2024-08-29T08:15:00Z https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167494#M591522 <P>Yes, it is true. My testing proves this...</P><P>Thanks</P> Thu, 29 Aug 2024 08:19:22 GMT https://community.cisco.com/t5/network-access-control/enforcing-trustsec-configuration-changes-to-asa-by-coa-supported/m-p/5167494#M591522 rezaalikhani 2024-08-29T08:19:22Z