3972 L18 Trustsec Sec Gru Acc

Page 1 of 23
Lab 18: TrustSec Security Group Access
Lab Overview
In this lab, you will work with integrating the HQ-ASA and the L3-Switch with the ISE server to implement Security
Group Access as part of the TrustSec implementation.
Estimated Completion Time

60 minutes
Lab Procedures
• Configure ISE for ASA TrustSec Integration
• Configure TrustSec on the ASA
• Test Remote Access VPN
• Configure TrustSec on the L3-Switch
• Configure Security Group Host Mappings on ISE
• Configure a Security Group ACL on ISE
• Configure ASA to Impose Layer 2 SGTs
Perform Only If You Have Done a Reset
If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5 day course), you will need to prepare or verify the
environment. Perform the following:
Access the module in the lab guide titled Post Reset and follow the directions there.
Task 1: Configure ISE for ASA TrustSec Integration
In this task, you will work with ISE and the TrustSec Work Center. All TrustSec-related options are consolidated
under the TrustSec Work Center menu so that you can easily access all the TrustSec options at one location.
1. Prepare ISE for TrustSec.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 2 of 23
1.1. On the Admin-PC, open Firefox and, using the ISE bookmark, log in as admin/admin$Pwd.
1.2. In the ISE GUI, navigate to Administration> Deployment and click ise.
1.3. Enable the SXP Service on ISE and save the config.
1.4. Access the ISE CLI and issue the command show application status ise to verify that the SXP Engine Service
has started.
Note: It will take some time before the service shows as running.
ise/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
Database Listener running 3631
Database Server running 69 PROCESSES
Application Server running 9199
Profiler Database running 5333
ISE Indexing Engine running 11815
AD Connector running 12763
M&T Session Database running 3009
M&T Log Collector running 9752
M&T Log Processor running 9592
Certificate Authority Service running 9428
EST Service running 26485
SXP Engine Service running 8905
TC-NAC Docker Service disabled
TC-NAC MongoDB Container disabled
TC-NAC RabbitMQ Container disabled
TC-NAC Core Engine Container disabled
VA Database disabled
VA Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
1.5. Navigate to Work Centers > TrustSec> Components > Trustsec AAA Servers where you should see that the
ise server is already a Trustsec AAA Server.
Page 3 of 23
1.6. Navigate to Work Centers > TrustSec> Settings > General Trustsec Settings.
Note: Protected Access Credentials (PACs) are necessary when configuring Network Devices to communicate
with ISE. The Life Time defaults to 90 days with a maximum of 5 years. In addition, ISE will assign the SGT
numbers (as you will see). You won′t be using the option to automatically create security groups.
1.7. In the left frame, click TrustSec Matrix Settings.
Note: This governs the look and feel of Security Group Access Control Matrices.
1.8. In the left frame, click ACI Settings.
Note: These settings pertain to TrustSec-ACI Integration: Cisco ISE allows you to synchronize SGTs and SXP
mappings with the Internal Endpoint Groups (IEPGs), External Endpoint Groups (EEPGs), and endpoint (EP)
configuration of Cisco Application Centric Infrastructure (ACI). You will not use this feature here.
1.9. In the left frame, click SXP Settings and configure as follows.
◾ Global Password: gklabs
Page 4 of 23
Note: The timers associated with SXP connections can be configured here.
1.10. Leave all other fields as is and click Save then Yes to the message about SXP restarting.
2. Configure SXP on ISE.
2.1. Navigate to Work Centers > TrustSec> SXP (accept any messages that may pop up).
2.2. Click Add and fill in as follows:
Attribute Value
Name L3-Switch
IP Address 10.10.2.1
Peer Role Listener
Connected PSNs ise
SXP Domain default
Status Enabled
Password Type DEFAULT
Page 5 of 23
2.3. Click Save.
Note: The Status will show as PENDING_ON. You will revisit SXP later in the lab after configuring the Network
Devices.
3. Configure the HQ-ASA in ISE.
3.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Network Devices, and edit the HQ-
ASA and fill in the parameters as follows:
Advanced TrustSec Settings
Attribute Value
Device Authentication Settings
Use Device ID for TrustSec enabled
Password sharedsecret (use the Show option to

verify)
TrustSec Notifications and Updates
Send configuration changes to device Using CoA
Device Configuration Deployment
enabled
Page 6 of 23
Include this device when deploying Security Group Tag

Mapping Updates
Exec Mode Username ise (use the Show option to verify)
Exec Mode Password ise (use the Show option to verify)
Enable Mode Password san-fran (use the Show option to verify)
3.1.1. Leave all other fields at their defaults and click Save.
4. Generate the PAC file for the HQ-ASA.
To configure the ASA to function with Cisco TrustSec, you must import a Protected Access Credential (PAC) file
from the ISE server. The ASA requires manual import of a PAC file in order to set up communications between it
and ISE.
4.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Network Devices, select the HQ-ASA
and click Generate PAC.
Attribute Value
Identity HQ-ASA (can′t change)
Page 7 of 23
Encryption Key gklabskey
PAC Time to Live 2 Months
4.2. Click Generate PAC and click OK to save the file.
Note: The file will be saved to the Downloads directory on the Admin-PC. You will use it later to import on the
HQ-ASA.
5. Configure Security Groups on the ISE server.
5.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Security Group. You should see that
ISE is already pre-configured with a number of security groups including Employees and Contractors.
5.2. Click Add and fill in the parameters as follows:
◾ Name: IT
◾ Description: IT Security Group
5.2.1. Click Submit, then verify that the Security Groups (and SGTs) look as follows:
Page 8 of 23
6. Verify the Default Authentication Rule used for ASA VPN Authentication.
6.1. In the ISE GUI, navigate to Policy> Policy Sets > VPN > Authentication Policy.
6.2. In its default configuration, ISE will use the Default Rule (If no match), to authenticate VPN sessions. Verify
that the Rule is set to authenticate against All_User_ID_Stores (which includes the Active Directory domain
GKLABS).
7. Configure the Authorization Rules to return the correct Security Groups for IT, Contractors and Employees.
7.1. In the ISE, scroll down to Authorization Policy.
7.2. Scroll down and find the Rule titled VPN Compliant and click the pull-down arrow on the right of edit to
Insert New Rule Above.
7.3. Configure the new rule as follows:
Attribute Value
Rule Name Contractor Access
Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/Contractors
Permissions PermitAccess AND Contractors (security group)
7.4.
Page 9 of 23
Click Done, then click the pull-down arrow on the right of Edit to Duplicate Above and configure the new
rule as follows.
Attribute Value
Rule Name Employee Access
Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/Employees
Permissions PermitAccess AND Employees (security group)
7.5. Click Done, then click the pull-down arrow on the right of Edit to Duplicate Above and configure the new
rule as follows.
Attribute Value
Rule Name IT Access
Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/IT
Permissions PermitAccess AND IT (security group)
7.6. The Authorization Policy Should look as follows.
Note: It is important to get the order right!
7.7. Once you have verified the three authorization rules match the figure above, click Save to commit your
changes.
8. Configure Wired Authorization to allow for the lab.
8.1. In the left pane, click the Wired Policy Set.
Page 10 of 23
8.2. In the right pane, locate the authorization policy named Basic_Authenticated_Access and edit it as follows.
Attribute Value
Status enabled
Rule Name Basic_Authenticated_Access
Conditions Network_Access_Authentication_Passed
Permissions Employee Access
8.3. Click Save.
Task 2: Configure TrustSec on the ASA
In this task, you will import the PAC file you generated earlier. Importing the PAC file to the ASA establishes a
secure communication channel with the ISE server. After the channel is established, the ASA initiates a PAC secure
RADIUS transaction with the ISE server and downloads Cisco TrustSec environment data (that is, the security
group table). The security group table maps SGTs to security group names. Security group names are created on
the ISE server and provide user-friendly names for security groups.
The first time that the ASA downloads the security group table, it walks through all entries in the table and
resolves all the security group names included in security policies that have been configured on it; then, the ASA
activates those security policies locally. If the ASA cannot resolve a security group name, it generates a syslog
message for the unknown security group name.
9. Import the PAC file.
9.1. On the Admin-PC, launch ASDM from the desktop. Connect to hq-asa.gklabs.com as admin/admin$Pwd.
9.2. Navigate to Configuration > Firewall > Identity by TrustSec.
9.3. For Server Group Name, select ISE.
9.4. Click Apply and verify the output before clicking Send.
cts server-group ISE
Page 11 of 23
9.5. Click Import PAC and browse to Downloads and import HQ-ASA.pac.
9.6. In the Import PAC window, enter the password gklabskey twice and then click Import.
9.7. Click OK to the Information window stating that the PAC imported successfully.
Note: When you import the PAC file, the file is converted to ASCII HEX format and sent to the ASA in non-
interactive mode. It may take a minute before the Environment Data is downloaded to the ASA.
10. Verify the Environment Data received from the ISE server.
10.1. In ASDM, navigate to Monitoring > Properties > Identity by TrustSec > PAC. You should see PAC
information similar to the following:
10.2. In ASDM, navigate to Monitoring > Properties > Identity by TrustSec > Environment Data. You should
have received the Security Group Table from the ISE server.
Page 12 of 23
10.3. Verify that in Monitoring > Properties > Identity by TrustSec, the IP Mappings Table and SXP Connections
are empty.
10.4. Access the HQ-ASA CLI and issue the commands to configure SXP.
Tip: There is a file on the Admin-PC at Desktop\ISE\HQ-ASA\SXP.txt. You can copy and paste the commands
from there if you prefer.
Do NOT save the changes to startup-config as you will reload the device at the end of the lab in preparation for
the next lab.
conf t
cts sxp enable
Page 13 of 23
cts sxp connection peer 10.10.0.2 source 10.10.0.1 password default mode local listener
cts sxp default password 0 gklabs
end
10.5. Issue the command to check status of SXP connections.
HQ-ASA# show cts sxp connections

SXP : Enabled
Highest version : 2
Default password : Set
Default local IP : Not Set
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Running
Total number of SXP connections: 1
Total number of SXP connections shown: 1
-----------------------------------------------------------
Peer IP : L3-Switch
Source IP : 10.10.0.1
Conn status : Off
Conn version : 2
Local mode : Listener
Ins number : 1
TCP conn password : Default
Reconciliation timer : Not Running
Delete hold down timer : Not Running
Duration since last state change: 0:00:00:17 (dd:hr:mm:sec)
Note: You will configure SXP on the L3-Switch later in the lab. The L3-Switch will be an SXP Listener when
connecting to ISE and a Speaker when connecting to the ASA.
Task 3: Test Remote Access VPN
In this task, you will verify that SSL VPN works from the Remote-PC while using ISE for AAA authentication. You will
see that the VPN sessions will be assigned the correct SGTs based on the identity of the user.
11. Test Remote Access VPN.
11.1. Access the console of the L3-Switch and issue the following command to configure interface g0/3 in open
mode.
Note: This will allow open access to User-PC2 (used in this lab as the Restricted Server).
conf t
int g0/3
shut
no ip access-group in
no shut
end
11.2. Log on to User-PC2 as admin/admin$Pwd.
11.3. Verify that the IP address is 10.10.10.200 (ipconfig) and that you have Internet access (www.cisco.com).
Note: If the IP address is something other than 10.10.10.200, take note of it and use that address where you see
reference to 10.10.10.200 further in the lab.
11.4. Access the desktop of the Remote-PC as admin/admin$Pwd.
11.5. In the system tray, launch the AnyConnect VPN client.
Page 14 of 23
11.6. Connect to vpn.gklabs.com.
11.7. Log in as it1/gklabs; this should succeed.
11.8. In the System Tray, click the AnyConnect icon for the Mobililty Client to reappear, and verify the IP address
assigned to the remote access client, by clicking on the gear in the lower left corner of the client window.
11.9. On the Remote-PC, open Firefox and browse to 10.10.1.25 (data-srv.gklabs.com), and 10.10.10.200 (User-
PC2); these should succeed.
11.10. Access the Admin-PC.
11.11. In ASDM, click Refresh Now to update the config and then navigate to Monitoring > Properties > Identity
by TrustSec > IP Mappings.
11.12. You should see the Security Group IP Mapping Table now has an entry for the IP address of the VPN client
and the Tag should match the tag associated with IT.
Page 15 of 23
11.13. Return to the Remote-PC and disconnect the VPN session.
11.14. Repeat the previous steps to verify that remote access VPN works from the Remote-PC for users
employee1/gklabs and contractor1/gklabs. Make sure to verify that they both have access to the three
internal web pages and that their appropriate Security Group Mappings appear. They should appear
similar to what is shown below.
Note: All three VPN users have access to all internal servers. You will configure SGACLs to block contractors from
accessing the Restricted Server.
Task 4: Configure TrustSec on the L3-Switch
12. Configure the L3-Switch ISE.
12.1. Return to the Admin-PC.
12.2. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Network Devices, edit the L3-Switch,
and fill in the parameters as follows:
Advanced TrustSec Settings
Attribute Value
Device Authentication Settings
Use Device ID for TrustSec enabled
Password sharedsecret (use the Show option to

verify)
TrustSec Notifications and Updates
Send configuration changes to device Using CoA
Device Configuration Deployment
Page 16 of 23
Include this device when deploying Security Group Tag enabled

Mapping Updates
Exec Mode Username ise (use the Show option to verify)
Exec Mode Password ise (use the Show option to verify)
Enable Mode Password san-fran (use the Show option to verify)
12.2.1. Leave all other fields at their defaults and click Save.
Note: Unlike the ASA, the L3-Switch doesn′t need you to generate a PAC file. With switches, the PAC file is
automatically generated and read in by the switch on next query.
13. Configure and verify the communication between ISE and the L3-Switch.
13.1. Access the L3-Switch CLI and issue the commands to Configure TrustSec.
Tip: There is a file on the Admin-PC at Desktop\ISE\L3-Switch\TrustSec.txt. You can copy and paste the
commands from there if you prefer.
Do NOT save the changes to startup-config as you will reload the switch at the end of the lab in preparation for
the next lab.
conf t
!configuration to allow communication to ise including auto pac generation
radius server ISE-PRIMARY
Page 17 of 23
address ipv4 10.10.2.50 auth-port 1812 acct-port 1813

automate-tester username ISE_HEALTH ignore-acct-port
key sharedsecret
pac key sharedsecret
!CTS configuration and provisioning

aaa authorization network ise group radius
cts authorization list ise
!enforcement is enabled both for Layer3 and Layer2 (only vlan 7):
cts role-based enforcement
cts role-based enforcement vlan-list 7
!To provision PAC automatically

end
cts credentials id L3-Switch password sharedsecret
!configure SXP Peers where ISE is Speaker peer (L3-Switch Listener)

! and ASA is Listener peer (L3-Switch is Speaker)
conf t
cts sxp enable
cts sxp default password 0 gklabs
cts sxp connection peer 10.10.2.50 source 10.10.2.1 password default mode peer speaker
cts sxp connection peer 10.10.0.1 source 10.10.0.2 password default mode peer listener
!Enable cts on the interface to ASA

interface GigabitEthernet0/10
cts manual
policy static sgt 333 trusted
end
Note: The last set of commands imposes tagging on G0/10 which connects to the HQ-ASA. Until we configure the
HQ-ASA to also impose tags, communication through that interface will not work. Any existing vty connections
from the Admin-PC to the HQ-ASA will no longer work. Additional configuration will need to be done from the
console port of the ASA to remedy this situation.
13.2. After configuring the L3-Switch, enter the commands to verify the PACs.
L3-Switch#show cts pacs

AID: 3C61B3991EF3095A7834F42476A50BEB
PAC-Info:
PAC-type = Cisco Trustsec
AID: 3C61B3991EF3095A7834F42476A50BEB
I-ID: L3-Switch
A-ID-Info: Identity Services Engine
Credential Lifetime: 16:24:08 UTC Feb 15 2017
PAC-Opaque:
000200B800030001000400103C61B3991EF3095A7834F42476A50BEB0006009C00030100B29496863AC2A958E72809877B1729A70000
Refresh timer is set for 12w4d
Note: Wait about 60 seconds and then issue the command to verify environment data.
L3-Switch#show cts environment-data

CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 0-00:Unknown
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.10.2.50, port 1812, A-ID 3C61B3991EF3095A7834F42476A50BEB
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0-dc:Unknown
2-dc:TrustSec_Devices
3-dc:Network_Services
4-dc:Employees
Page 18 of 23
5-dc:Contractors
6-dc:Guests
7-dc:Production_Users
8-dc:Developers
9-dc:Auditors
10-dc:Point_of_Sale_Systems
11-dc:Production_Servers
12-dc:Development_Servers
13-dc:Test_Servers
14-dc:PCI_Servers
15-dc:BYOD
16-dc:Admins
17-dc:IT
255-dc:Quarantined_Systems
Environment Data Lifetime = 86400 secs
Last update time = 16:25:57 UTC Thu Nov 17 2016
Env-data expires in 0:23:59:23 (dd:hr:mm:sec)
Env-data refreshes in 0:23:59:23 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
13.3. On the L3-Switch, issue the command to check on SXP Connections.
Note: It may take a couple of minutes, but you should see the SXP connection to ISE change to Conn status of On.
The connection to the HQ-ASA will also be on.
L3-Switch#show cts sxp connections

SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Peer IP : 10.10.0.1
Source IP : 10.10.0.2
Conn status : On
Conn version : 2
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd : 2
TCP conn password: default SXP password
----------------------------------------------
Peer IP : 10.10.2.50
Source IP : 10.10.2.1
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Hold timer is running
Total num of SXP Connections = 2
Note: The L3-Switch is configured to be an SXP listener with ISE (10.10.2.50) and an SXP speaker with the HQ-ASA
(10.10.0.2). This will allow for SGT mappings to propagate out from ISE to the rest of the SXP domain.
Task 5: Configure Security Group Host Mappings on ISE
In this task, you will configure a static mapping for the User-PC on ISE and deploy it to the L3-Switch.
14. Create a Host mapping on ISE.
Page 19 of 23
14.1. In the ISE GUI, navigate to Work Centers > TrustSec > SXP and verify that the L3-Switch status has change
to ON.
14.2. Navigate to Work Centers > TrustSec> Components > IP SGT Static Mapping.
14.3. Click Add and fill in as follows.
Attribute Value
IP Address 10.10.10.200 (Address of the Restricted Server)
SGT Test_Servers
Send to SXP Domain default
14.3.1. Click Save.
15. Verify the host mapping to the L3-Switch.
15.1. On the L3-Switch, issue the command to verify that the mapping has been deployed.
L3-Switch#show cts role-based sgt-map all

Active IPv4-SGT Bindings Information
IP Address SGT Source

============================================
10.10.10.200 13 SXP
IP-SGT Active Bindings Summary

============================================
Total number of SXP bindings = 1
Total number of active bindings = 1
Task 6: Configure a Security Group ACL on ISE
Page 20 of 23
In this task, you will configure a Security Group ACL to be used in the Security Group Matrix on ISE and deploy the
Matrix to the L3-Switch.
16. Add a Security Group ACL.
16.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Security Group ACLs.
16.2. Click Add and fill in as follows.
Attribute Value
Name Deny_HTTP
Security Group ACL Content deny tcp dst eq 80
permit ip
16.3. Click Submit.
17. Configure the Egress Policy Matrix.
17.1. Navigate to Work Centers > TrustSec> TrustSec Policy > Matrix.
17.2. Scroll to the right and find the cell where Destination > Test_Servers and Source > Contractors intersect.
17.3. Double-click to edit and select the SGACL Deny_HTTP then click Save.
Page 21 of 23
18. Deploy the configuration.
18.1.
In the ISE GUI, click the Deploy button and wait to receive a notification that the task
completed successfully.
18.2. Verify that that the policy is now on the L3-Switch by accessing the console and issuing the following
command.
L3-Switch#show cts role-based permissions

IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 5:Contractors to group 13:Test_Servers:
Deny_HTTP-10
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
L3-Switch#show cts rbacl

CTS RBACL Policy
================
RBACL IP Version Supported: IPv4
name = Permit IP-00
IP protocol version = IPV4
refcnt = 2
flag = 0x41000000
stale = FALSE
RBACL ACEs:
permit ip
name = Deny_HTTP-10
IP protocol version = IPV4
refcnt = 2
flag = 0x41000000
stale = FALSE
RBACL ACEs:
deny tcp dst eq 80
permit ip
Page 22 of 23
Task 7: Configure ASA to Impose Layer 2 SGTs
In 9.3 code, the ASA can impose Security Group Tags. You can now use security group tagging combined with
Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the
ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet
framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet
frames. You will configure the inside interface to impose L2 SGTs.
19. Enable Layer 2 SGT Imposition on the inside interface.
19.1. Access the console of the HQ-ASA from the topology diagram.
Note: It is imperative you use the console port rather than ASDM or a vty line to issue the following commands
as they have to do with changing the way the HQ-ASA puts packets on the wire.
19.2. Issue the commands to impose SGT Tags.
Interface GigabitEthernet0/1
cts manual
propagate SGT
policy static sgt 333 trusted
Note: The ASA will now Listen to SXP from the L3-Switch and send SGTs on frames to the L3-Switch.
19.3. Issue the commands to verify SXP connections and ip mappings.
HQ-ASA# show cts sxp connections

SXP : Enabled
Highest version : 2
Default password : Set
Default local IP : Not Set
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Running
Total number of SXP connections: 1
Total number of SXP connections shown: 1
-----------------------------------------------------------
Peer IP : L3-Switch
Source IP : 10.10.0.1
Conn status : On
Conn version : 2
Local mode : Listener
Ins number : 2
TCP conn password : Default
Reconciliation timer : Not Running
Delete hold down timer : Not Running
HQ-ASA# show cts sxp sgt-map

Total number of IP-SGT mappings : 1
Total number of IP-SGT mappings shown: 1
SGT : 13
IPv4 : 10.10.10.200
Peer IP : L3-Switch
Ins Num : 2
Status : Active
In this section, you will test the SGA configuration by accessing the VPN from the Remote-PC and logging in as
different users.
20. Test the configuration as the contractor.
20.1. Access the Remote-PC and disconnect the VPN.
20.2. Re-connect and log in as contractor1/gklabs.
20.3.
Page 23 of 23
Open Firefox and attempt to browse to 10.10.2.10 (admin-pc.gklabs.com) and 10.10.1.25 (data-
srv.gklabs.com); both of these should work.
Note: You may need to refresh the page in the next step to ensure you are not getting a cached copy of the site.
20.4. Attempt to browse to 10.10.10.200 (Restricted Server); your connection should time out.
20.5. Access the L3-Switch CLI and issue the following command.
L3-Switch#show cts role-based counters

Role-based IPv4 counters
# '-' in hardware counters field indicates sharing among cells with identical policies
From To SW-Denied HW-Denied SW-Permitted HW-Permitted
* * 0 0 859 34119
5 13 0 6 0 0
Note: Your counters will not necessarily match the output above but you should see denies (HW-Denied) From
SGT 5 To SGT 13 per the policy.
21. Test the configuration as the employee.
21.1. Access the Remote-PC and disconnect the VPN.
21.2. Re-connect and log in as employee1/gklabs.
21.3. Open Firefox and attempt to browse to 10.10.2.10 (admin-pc.gklabs.com), 10.10.1.25 (data-
srv.gklabs.com), and 10.10.10.200 (Restricted Server); these should now work.
22. Prepare for the next lab.
22.1. In the ISE GUI navigate to Administration> Deployment and click ise.
22.2. Disable the SXP Service and save the change.
22.3. Access the consoles of the L3-Switch and the HQ-ASA and reload both devices without saving any changes.
22.4. If you have saved changes to either of these devices during the lab, you will need to reset to the next lab.
Lab Complete

3972 L18 Trustsec Sec Gru Acc

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3972 L18 Trustsec Sec Gru Acc

Uploaded by

Copyright:

Available Formats

Page 1 of 23

Lab 18: TrustSec Security Group Access

Estimated Completion Time

• Configure TrustSec on the ASA

• Test Remote Access VPN

• Configure TrustSec on the L3-Switch

• Configure Security Group Host Mappings on ISE

• Configure a Security Group ACL on ISE

• Configure ASA to Impose Layer 2 SGTs

Perform Only If You Have Done a Reset

Task 1: Configure ISE for ASA TrustSec Integration

1. Prepare ISE for TrustSec.

ise/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID

1.7. In the left frame, click TrustSec Matrix Settings.

1.8. In the left frame, click ACI Settings.

◾ Global Password: gklabs

2. Configure SXP on ISE.

2.2. Click Add and fill in as follows:

Peer Role Listener

Connected PSNs ise

SXP Domain default

Password Type DEFAULT

2.3. Click Save.

3. Configure the HQ-ASA in ISE.

Advanced TrustSec Settings

Device Authentication Settings

Use Device ID for TrustSec enabled

Password sharedsecret (use the Show option to

TrustSec Notifications and Updates

Send configuration changes to device Using CoA

Device Configuration Deployment

Include this device when deploying Security Group Tag

Exec Mode Username ise (use the Show option to verify)

Exec Mode Password ise (use the Show option to verify)

Enable Mode Password san-fran (use the Show option to verify)

4. Generate the PAC file for the HQ-ASA.

Identity HQ-ASA (can′t change)

Encryption Key gklabskey

PAC Time to Live 2 Months

4.2. Click Generate PAC and click OK to save the file.

5. Configure Security Groups on the ISE server.

5.2. Click Add and fill in the parameters as follows:

◾ Description: IT Security Group

7.1. In the ISE, scroll down to Authorization Policy.

7.3. Configure the new rule as follows:

Rule Name Contractor Access

Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/Contractors

Permissions PermitAccess AND Contractors (security group)

Rule Name Employee Access

Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/Employees

Permissions PermitAccess AND Employees (security group)

Rule Name IT Access

Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/IT

Permissions PermitAccess AND IT (security group)

7.6. The Authorization Policy Should look as follows.

Note: It is important to get the order right!

8. Configure Wired Authorization to allow for the lab.

8.1. In the left pane, click the Wired Policy Set.

Rule Name Basic_Authenticated_Access

Permissions Employee Access

8.3. Click Save.

Task 2: Configure TrustSec on the ASA