Cisco Cisco Identity Services Engine Software Manuale Tecnico
Configure WSA Integration with ISE for TrustSec
Aware Services
Aware Services
Document ID: 119212
Contributed by Michal Garcarz, Cisco TAC Engineer.
Jul 30, 2015
Jul 30, 2015
Contents
Introduction
Prerequisites
Requirements
Components Used
Configure
Network Diagram and Traffic Flow
ASA-VPN
ASA-FW
ISE
Step 1. SGT for IT and Other Group
Step 2. Authorization Rule for VPN Access That Assigns SGT = 2 (IT)
Step 3. Add Network Device and Generate PAC File for ASA-VPN
Step 4. Enable pxGrid Role
Step 5. Generate the Certificate for Administration and the pxGrid Role
Step 6. pxGrid Auto Registration
WSA
Step 1. Transparent Mode and Redirection
Step 2. Certificate Generation
Step 3. Test ISE Connectivity
Step 4. ISE Identification Profiles
Step 5. Access the Policy Based on the SGT Tag
Verify
Step 1. VPN Session
Step 2. Session Information Retrieved by the WSA
Step 3. Traffic Redirection to the WSA
Troubleshoot
Incorrect Certificates
Correct Scenario
Related Information
Prerequisites
Requirements
Components Used
Configure
Network Diagram and Traffic Flow
ASA-VPN
ASA-FW
ISE
Step 1. SGT for IT and Other Group
Step 2. Authorization Rule for VPN Access That Assigns SGT = 2 (IT)
Step 3. Add Network Device and Generate PAC File for ASA-VPN
Step 4. Enable pxGrid Role
Step 5. Generate the Certificate for Administration and the pxGrid Role
Step 6. pxGrid Auto Registration
WSA
Step 1. Transparent Mode and Redirection
Step 2. Certificate Generation
Step 3. Test ISE Connectivity
Step 4. ISE Identification Profiles
Step 5. Access the Policy Based on the SGT Tag
Verify
Step 1. VPN Session
Step 2. Session Information Retrieved by the WSA
Step 3. Traffic Redirection to the WSA
Troubleshoot
Incorrect Certificates
Correct Scenario
Related Information
Introduction
This document describes how to integrate the Web Security Appliance (WSA) with Identity Services Engine
(ISE). ISE Version 1.3 supports a new API called pxGrid. This modern and flexible protocol supports
authentication, encryption, and privileges (groups) which allows for easy integration with other security
solutions.
(ISE). ISE Version 1.3 supports a new API called pxGrid. This modern and flexible protocol supports
authentication, encryption, and privileges (groups) which allows for easy integration with other security
solutions.
WSA Version 8.7 supports pxGrid protocol and is able to retrieve context identity information from ISE. As a
result, WSA allows you to build policies based on TrustSec Security Group Tag (SGT) groups retrieved from
ISE.
result, WSA allows you to build policies based on TrustSec Security Group Tag (SGT) groups retrieved from
ISE.