cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
421
Views
3
Helpful
6
Replies

Enforcing TrustSec Configuration changes to ASA by CoA. Supported?

rezaalikhani
Spotlight
Spotlight

Hi all;

Based on Cisco's published documents, everywhere Cisco explains about configuring TrustSec settings for ASA in ISE, the documents omit the CoA configuration. For example:

1000.png

Does Cisco ASA support pushing TrustSec configuration from ISE side?

Thanks 

1 Accepted Solution

Accepted Solutions

Hi@rezaalikhani I believe CoA is only supported on the ASA for posture and not TrustSec integration. The guide above was for the latest version 9.20, so if that does not state CoA is supported it probably is not. The release notes for all ASA versions seem to confirm that also.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

View solution in original post

6 Replies 6

@rezaalikhani you need to manually import a PAC file to the ASA, generated from ISE. With the PAC file installed the ASA a secure connection to ISE is established to download the TrustSec data. The IP/SGT bindings must be exchanged using SXP.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/firewall/asa-920-firewall-config/access-trustsec.html

https://integratingit.wordpress.com/2019/01/26/cisco-trustsec-on-asa-firewall/

 

Hi @Rob Ingram. Although Cisco does not officially mention (based on your first link you have provided) supportability of RADIUS Cisco AVP's CTS Request push from ISE to ASA, but, based on testing this situation in my lab, the following event occurs after ISE pushes CoA to ASA:

rezaalikhani_0-1724917330706.png

From ASA perspective:

rezaalikhani_1-1724917433019.png

As you can see above, although ASA has received the CoA Request from ISE (192.168.10.120), it does not respond back. 

 

Hi@rezaalikhani I believe CoA is only supported on the ASA for posture and not TrustSec integration. The guide above was for the latest version 9.20, so if that does not state CoA is supported it probably is not. The release notes for all ASA versions seem to confirm that also.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

Yes, it is true. My testing proves this...

Thanks

It's a much better experience to migrate to Firepower and use pxGrid to exchange SGT info instead.  Is there a requirement to still use an ASA?

Just for learning purpose...