Cisco Cisco Identity Services Engine Software Manuale Tecnico

Cisco recommends that you have experience with Cisco ISE configuration and basic knowledge of these
topics:

ISE deployments and authorization configuration

• 

Adaptive Security Appliance (ASA) CLI configuration for TrustSec and VPN access

• 

WSA configuration

• 

Basic understanding of TrustSec deployments

• 

The information in this document is based on these software and hardware versions:

Microsoft Windows 7

• 

Cisco ISE Software Version 1.3 and later

• 

Cisco AnyConnect Mobile Security Version 3.1 and later

• 

Cisco ASA Version 9.3.1 and later

• 

Cisco WSA Version 8.7 and later

• 

The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.

: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the

commands used in this section.

TrustSec SGT tags are assigned by ISE used as an authentication server for all types of users that access the
corporate network. This involves wired/wireless users that authenticate via 802.1x or ISE guest portals. Also,
remote VPN users that use ISE for authentication.

For WSA, it does not matter how the user has accessed the network.

This example presents a remote VPN users terminating session on the ASA-VPN. Those users have been
assigned a specific SGT tag. All HTTP traffic to the Internet will be intercepted by the ASA-FW (firewall)
and redirected to the WSA for inspection. The WSA uses the identity profile which allows it to classify users
based on the SGT tag and build access or decryption policies based on that.