Professional Documents
Culture Documents
3972 L18 Trustsec Sec Gru Acc
3972 L18 Trustsec Sec Gru Acc
Lab Overview
In this lab, you will work with integrating the HQ-ASA and the L3-Switch with the ISE server to implement Security
Group Access as part of the TrustSec implementation.
Lab Procedures
• Configure ISE for ASA TrustSec Integration
If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5 day course), you will need to prepare or verify the
environment. Perform the following:
Access the module in the lab guide titled Post Reset and follow the directions there.
In this task, you will work with ISE and the TrustSec Work Center. All TrustSec-related options are consolidated
under the TrustSec Work Center menu so that you can easily access all the TrustSec options at one location.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 2 of 23
1.1. On the Admin-PC, open Firefox and, using the ISE bookmark, log in as admin/admin$Pwd.
1.2. In the ISE GUI, navigate to Administration> Deployment and click ise.
1.3. Enable the SXP Service on ISE and save the config.
1.4. Access the ISE CLI and issue the command show application status ise to verify that the SXP Engine Service
has started.
Note: It will take some time before the service shows as running.
1.5. Navigate to Work Centers > TrustSec> Components > Trustsec AAA Servers where you should see that the
ise server is already a Trustsec AAA Server.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 3 of 23
1.6. Navigate to Work Centers > TrustSec> Settings > General Trustsec Settings.
Note: Protected Access Credentials (PACs) are necessary when configuring Network Devices to communicate
with ISE. The Life Time defaults to 90 days with a maximum of 5 years. In addition, ISE will assign the SGT
numbers (as you will see). You won′t be using the option to automatically create security groups.
Note: This governs the look and feel of Security Group Access Control Matrices.
Note: These settings pertain to TrustSec-ACI Integration: Cisco ISE allows you to synchronize SGTs and SXP
mappings with the Internal Endpoint Groups (IEPGs), External Endpoint Groups (EEPGs), and endpoint (EP)
configuration of Cisco Application Centric Infrastructure (ACI). You will not use this feature here.
1.9. In the left frame, click SXP Settings and configure as follows.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 4 of 23
Note: The timers associated with SXP connections can be configured here.
1.10. Leave all other fields as is and click Save then Yes to the message about SXP restarting.
2.1. Navigate to Work Centers > TrustSec> SXP (accept any messages that may pop up).
Attribute Value
Name L3-Switch
IP Address 10.10.2.1
Status Enabled
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 5 of 23
Note: The Status will show as PENDING_ON. You will revisit SXP later in the lab after configuring the Network
Devices.
3.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Network Devices, and edit the HQ-
ASA and fill in the parameters as follows:
Attribute Value
enabled
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 6 of 23
3.1.1. Leave all other fields at their defaults and click Save.
To configure the ASA to function with Cisco TrustSec, you must import a Protected Access Credential (PAC) file
from the ISE server. The ASA requires manual import of a PAC file in order to set up communications between it
and ISE.
4.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Network Devices, select the HQ-ASA
and click Generate PAC.
Attribute Value
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 7 of 23
Note: The file will be saved to the Downloads directory on the Admin-PC. You will use it later to import on the
HQ-ASA.
5.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Security Group. You should see that
ISE is already pre-configured with a number of security groups including Employees and Contractors.
◾ Name: IT
5.2.1. Click Submit, then verify that the Security Groups (and SGTs) look as follows:
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 8 of 23
6. Verify the Default Authentication Rule used for ASA VPN Authentication.
6.1. In the ISE GUI, navigate to Policy> Policy Sets > VPN > Authentication Policy.
6.2. In its default configuration, ISE will use the Default Rule (If no match), to authenticate VPN sessions. Verify
that the Rule is set to authenticate against All_User_ID_Stores (which includes the Active Directory domain
GKLABS).
7. Configure the Authorization Rules to return the correct Security Groups for IT, Contractors and Employees.
7.2. Scroll down and find the Rule titled VPN Compliant and click the pull-down arrow on the right of edit to
Insert New Rule Above.
Attribute Value
7.4.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 9 of 23
Click Done, then click the pull-down arrow on the right of Edit to Duplicate Above and configure the new
rule as follows.
Attribute Value
7.5. Click Done, then click the pull-down arrow on the right of Edit to Duplicate Above and configure the new
rule as follows.
Attribute Value
7.7. Once you have verified the three authorization rules match the figure above, click Save to commit your
changes.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 10 of 23
8.2. In the right pane, locate the authorization policy named Basic_Authenticated_Access and edit it as follows.
Attribute Value
Status enabled
Conditions Network_Access_Authentication_Passed
In this task, you will import the PAC file you generated earlier. Importing the PAC file to the ASA establishes a
secure communication channel with the ISE server. After the channel is established, the ASA initiates a PAC secure
RADIUS transaction with the ISE server and downloads Cisco TrustSec environment data (that is, the security
group table). The security group table maps SGTs to security group names. Security group names are created on
the ISE server and provide user-friendly names for security groups.
The first time that the ASA downloads the security group table, it walks through all entries in the table and
resolves all the security group names included in security policies that have been configured on it; then, the ASA
activates those security policies locally. If the ASA cannot resolve a security group name, it generates a syslog
message for the unknown security group name.
9.1. On the Admin-PC, launch ASDM from the desktop. Connect to hq-asa.gklabs.com as admin/admin$Pwd.
9.4. Click Apply and verify the output before clicking Send.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 11 of 23
9.5. Click Import PAC and browse to Downloads and import HQ-ASA.pac.
9.6. In the Import PAC window, enter the password gklabskey twice and then click Import.
9.7. Click OK to the Information window stating that the PAC imported successfully.
Note: When you import the PAC file, the file is converted to ASCII HEX format and sent to the ASA in non-
interactive mode. It may take a minute before the Environment Data is downloaded to the ASA.
10. Verify the Environment Data received from the ISE server.
10.1. In ASDM, navigate to Monitoring > Properties > Identity by TrustSec > PAC. You should see PAC
information similar to the following:
10.2. In ASDM, navigate to Monitoring > Properties > Identity by TrustSec > Environment Data. You should
have received the Security Group Table from the ISE server.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 12 of 23
10.3. Verify that in Monitoring > Properties > Identity by TrustSec, the IP Mappings Table and SXP Connections
are empty.
10.4. Access the HQ-ASA CLI and issue the commands to configure SXP.
Tip: There is a file on the Admin-PC at Desktop\ISE\HQ-ASA\SXP.txt. You can copy and paste the commands
from there if you prefer.
Do NOT save the changes to startup-config as you will reload the device at the end of the lab in preparation for
the next lab.
conf t
cts sxp enable
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 13 of 23
cts sxp connection peer 10.10.0.2 source 10.10.0.1 password default mode local listener
cts sxp default password 0 gklabs
end
Note: You will configure SXP on the L3-Switch later in the lab. The L3-Switch will be an SXP Listener when
connecting to ISE and a Speaker when connecting to the ASA.
In this task, you will verify that SSL VPN works from the Remote-PC while using ISE for AAA authentication. You will
see that the VPN sessions will be assigned the correct SGTs based on the identity of the user.
11.1. Access the console of the L3-Switch and issue the following command to configure interface g0/3 in open
mode.
Note: This will allow open access to User-PC2 (used in this lab as the Restricted Server).
conf t
int g0/3
shut
no ip access-group in
no shut
end
11.3. Verify that the IP address is 10.10.10.200 (ipconfig) and that you have Internet access (www.cisco.com).
Note: If the IP address is something other than 10.10.10.200, take note of it and use that address where you see
reference to 10.10.10.200 further in the lab.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 14 of 23
11.8. In the System Tray, click the AnyConnect icon for the Mobililty Client to reappear, and verify the IP address
assigned to the remote access client, by clicking on the gear in the lower left corner of the client window.
11.9. On the Remote-PC, open Firefox and browse to 10.10.1.25 (data-srv.gklabs.com), and 10.10.10.200 (User-
PC2); these should succeed.
11.11. In ASDM, click Refresh Now to update the config and then navigate to Monitoring > Properties > Identity
by TrustSec > IP Mappings.
11.12. You should see the Security Group IP Mapping Table now has an entry for the IP address of the VPN client
and the Tag should match the tag associated with IT.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 15 of 23
11.14. Repeat the previous steps to verify that remote access VPN works from the Remote-PC for users
employee1/gklabs and contractor1/gklabs. Make sure to verify that they both have access to the three
internal web pages and that their appropriate Security Group Mappings appear. They should appear
similar to what is shown below.
Note: All three VPN users have access to all internal servers. You will configure SGACLs to block contractors from
accessing the Restricted Server.
12.2. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Network Devices, edit the L3-Switch,
and fill in the parameters as follows:
Attribute Value
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 16 of 23
12.2.1. Leave all other fields at their defaults and click Save.
Note: Unlike the ASA, the L3-Switch doesn′t need you to generate a PAC file. With switches, the PAC file is
automatically generated and read in by the switch on next query.
13. Configure and verify the communication between ISE and the L3-Switch.
13.1. Access the L3-Switch CLI and issue the commands to Configure TrustSec.
Tip: There is a file on the Admin-PC at Desktop\ISE\L3-Switch\TrustSec.txt. You can copy and paste the
commands from there if you prefer.
Do NOT save the changes to startup-config as you will reload the switch at the end of the lab in preparation for
the next lab.
conf t
!configuration to allow communication to ise including auto pac generation
radius server ISE-PRIMARY
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 17 of 23
!enforcement is enabled both for Layer3 and Layer2 (only vlan 7):
cts role-based enforcement
cts role-based enforcement vlan-list 7
Note: The last set of commands imposes tagging on G0/10 which connects to the HQ-ASA. Until we configure the
HQ-ASA to also impose tags, communication through that interface will not work. Any existing vty connections
from the Admin-PC to the HQ-ASA will no longer work. Additional configuration will need to be done from the
console port of the ASA to remedy this situation.
13.2. After configuring the L3-Switch, enter the commands to verify the PACs.
Note: Wait about 60 seconds and then issue the command to verify environment data.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 18 of 23
5-dc:Contractors
6-dc:Guests
7-dc:Production_Users
8-dc:Developers
9-dc:Auditors
10-dc:Point_of_Sale_Systems
11-dc:Production_Servers
12-dc:Development_Servers
13-dc:Test_Servers
14-dc:PCI_Servers
15-dc:BYOD
16-dc:Admins
17-dc:IT
255-dc:Quarantined_Systems
Environment Data Lifetime = 86400 secs
Last update time = 16:25:57 UTC Thu Nov 17 2016
Env-data expires in 0:23:59:23 (dd:hr:mm:sec)
Env-data refreshes in 0:23:59:23 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
Note: It may take a couple of minutes, but you should see the SXP connection to ISE change to Conn status of On.
The connection to the HQ-ASA will also be on.
----------------------------------------------
Peer IP : 10.10.2.50
Source IP : 10.10.2.1
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Hold timer is running
Duration since last state change: 0:00:04:23 (dd:hr:mm:sec)
Note: The L3-Switch is configured to be an SXP listener with ISE (10.10.2.50) and an SXP speaker with the HQ-ASA
(10.10.0.2). This will allow for SGT mappings to propagate out from ISE to the rest of the SXP domain.
In this task, you will configure a static mapping for the User-PC on ISE and deploy it to the L3-Switch.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 19 of 23
14.1. In the ISE GUI, navigate to Work Centers > TrustSec > SXP and verify that the L3-Switch status has change
to ON.
14.2. Navigate to Work Centers > TrustSec> Components > IP SGT Static Mapping.
Attribute Value
SGT Test_Servers
15.1. On the L3-Switch, issue the command to verify that the mapping has been deployed.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 20 of 23
In this task, you will configure a Security Group ACL to be used in the Security Group Matrix on ISE and deploy the
Matrix to the L3-Switch.
16.1. In the ISE GUI, navigate to Work Centers > TrustSec > Components > Security Group ACLs.
Attribute Value
Name Deny_HTTP
permit ip
17.1. Navigate to Work Centers > TrustSec> TrustSec Policy > Matrix.
17.2. Scroll to the right and find the cell where Destination > Test_Servers and Source > Contractors intersect.
17.3. Double-click to edit and select the SGACL Deny_HTTP then click Save.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 21 of 23
18.1.
In the ISE GUI, click the Deploy button and wait to receive a notification that the task
completed successfully.
18.2. Verify that that the policy is now on the L3-Switch by accessing the console and issuing the following
command.
name = Deny_HTTP-10
IP protocol version = IPV4
refcnt = 2
flag = 0x41000000
stale = FALSE
RBACL ACEs:
deny tcp dst eq 80
permit ip
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 22 of 23
In 9.3 code, the ASA can impose Security Group Tags. You can now use security group tagging combined with
Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the
ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet
framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet
frames. You will configure the inside interface to impose L2 SGTs.
19.1. Access the console of the HQ-ASA from the topology diagram.
Note: It is imperative you use the console port rather than ASDM or a vty line to issue the following commands
as they have to do with changing the way the HQ-ASA puts packets on the wire.
Interface GigabitEthernet0/1
cts manual
propagate SGT
policy static sgt 333 trusted
Note: The ASA will now Listen to SXP from the L3-Switch and send SGTs on frames to the L3-Switch.
SGT : 13
IPv4 : 10.10.10.200
Peer IP : L3-Switch
Ins Num : 2
Status : Active
In this section, you will test the SGA configuration by accessing the VPN from the Remote-PC and logging in as
different users.
20.3.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017
Page 23 of 23
Open Firefox and attempt to browse to 10.10.2.10 (admin-pc.gklabs.com) and 10.10.1.25 (data-
srv.gklabs.com); both of these should work.
Note: You may need to refresh the page in the next step to ensure you are not getting a cached copy of the site.
20.4. Attempt to browse to 10.10.10.200 (Restricted Server); your connection should time out.
20.5. Access the L3-Switch CLI and issue the following command.
* * 0 0 859 34119
5 13 0 6 0 0
Note: Your counters will not necessarily match the output above but you should see denies (HW-Denied) From
SGT 5 To SGT 13 per the policy.
21.3. Open Firefox and attempt to browse to 10.10.2.10 (admin-pc.gklabs.com), 10.10.1.25 (data-
srv.gklabs.com), and 10.10.10.200 (Restricted Server); these should now work.
22.1. In the ISE GUI navigate to Administration> Deployment and click ise.
22.3. Access the consoles of the L3-Switch and the HQ-ASA and reload both devices without saving any changes.
22.4. If you have saved changes to either of these devices during the lab, you will need to reset to the next lab.
Lab Complete
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L18.htm 20/09/2017