Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
3
Helpful
6
Replies

Enforcing TrustSec Configuration changes to ASA by CoA. Supported?

Go to solution
rezaalikhani
Spotlight
Spotlight

‎08-26-2024 09:24 PM

Hi all;

Based on Cisco's published documents, everywhere Cisco explains about configuring TrustSec settings for ASA in ISE, the documents omit the CoA configuration. For example:

1000.png

Does Cisco ASA support pushing TrustSec configuration from ISE side?

Thanks 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to rezaalikhani

‎08-29-2024 01:15 AM

Hi@rezaalikhani I believe CoA is only supported on the ASA for posture and not TrustSec integration. The guide above was for the latest version 9.20, so if that does not state CoA is supported it probably is not. The release notes for all ASA versions seem to confirm that also.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎08-26-2024 11:04 PM - edited ‎08-27-2024 05:05 AM

@rezaalikhani you need to manually import a PAC file to the ASA, generated from ISE. With the PAC file installed the ASA a secure connection to ISE is established to download the TrustSec data. The IP/SGT bindings must be exchanged using SXP.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/firewall/asa-920-firewall-config/access-trustsec.html

https://integratingit.wordpress.com/2019/01/26/cisco-trustsec-on-asa-firewall/

 

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to Rob Ingram

‎08-29-2024 12:50 AM

Hi @Rob Ingram. Although Cisco does not officially mention (based on your first link you have provided) supportability of RADIUS Cisco AVP's CTS Request push from ISE to ASA, but, based on testing this situation in my lab, the following event occurs after ISE pushes CoA to ASA:

rezaalikhani_0-1724917330706.png

From ASA perspective:

rezaalikhani_1-1724917433019.png

As you can see above, although ASA has received the CoA Request from ISE (192.168.10.120), it does not respond back. 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to rezaalikhani

‎08-29-2024 01:15 AM

Hi@rezaalikhani I believe CoA is only supported on the ASA for posture and not TrustSec integration. The guide above was for the latest version 9.20, so if that does not state CoA is supported it probably is not. The release notes for all ASA versions seem to confirm that also.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to Rob Ingram

‎08-29-2024 01:19 AM

Yes, it is true. My testing proves this...

Thanks

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎08-27-2024 04:57 AM

It's a much better experience to migrate to Firepower and use pxGrid to exchange SGT info instead.  Is there a requirement to still use an ASA?

0 Helpful

Go to solution
rezaalikhani
Spotlight
Spotlight
In response to ahollifield

‎08-29-2024 12:51 AM

Just for learning purpose...

0 Helpful
Customers Also Viewed These Support Documents