14-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter14 Managing TrustSec Firewall Policies
Configuring TrustSec Firewall Policies
6. Specify a device name, device ID, password, and a download interval for the ASA. See the ISE
documentation for the details to perform these tasks.
Creating a Security Group on the ISE
When configuring the ASA to communicate with the ISE, you specify a AAA server. When configuring
the AAA server on the ASA, you must specify a server group.
The security group must be configured to use the RADIUS protocol.
1. Log into the ISE.
2. Choose Policy > Policy Elements > Results > Security Group Access > Security Group.
3. Add a security group for the ASA. (Security groups are global and not ASA specific.)
The ISE creates an entry under Security Groups with a tag.
4. Under the Security Group Access section, configure a device ID credentials and password for the
ASA.
Generating the PAC
Before generating the PAC file, you must have registered the ASA with the ISE.
1. Log into the ISE.
2. Choose Administration > Network Resources > Network Devices.
3. From the list of devices, select the ASA device.
4. Under the Security Group Access (SGA), click Generate PAC.
5. To encrypt the PAC file, enter a password.
The password (or encryption key) you enter to encrypt the PAC file is independent of the password
that was configured on the ISE as part of the device credentials.
The ISE generates the PAC file. The ASA can import the PAC from flash or from a remote server via
TFTP, FTP, HTTP, HTTPS, or SMB. (The PAC does not have to reside on the ASA flash before you can
import it.)
Configuring TrustSec Firewall Policies
Security group awareness is integrated into several existing firewall rules; there is no unique TrustSec
firewall policy. Additionally, supporting tools have been updated to work on TrustSec firewall policies.
For example, you can search for rules that include a specific Security Group using the Find and Replace
tool.
The topics in this section explain the various procedures for integrating security group awareness into
firewall policies.
This section contains the following topics:
Configuring Cisco TrustSec Services, page 14-8
Creating Security Group Objects, page 14-12
Selecting Security Groups in Policies, page 14-13
Configuring TrustSec-Based Firewall Rules, page14-13