Cisco Cisco Identity Services Engine Software Manuale Tecnico
The detailed flow is:
The AnyConnect VPN user terminates the Secure Sockets Layer (SSL) session on the ASA-VPN. The
ASA-VPN is configured for TrustSec and uses ISE for authentication of VPN users. The
authenticated user is assigned a SGT tag value = 2 (name = IT). The user receives an IP address from
the 172.16.32.0/24 network (172.16.32.50 in this example).
ASA-VPN is configured for TrustSec and uses ISE for authentication of VPN users. The
authenticated user is assigned a SGT tag value = 2 (name = IT). The user receives an IP address from
the 172.16.32.0/24 network (172.16.32.50 in this example).
1.
The user tries to access the web page in the Internet. The ASA-FW is configured for Web Cache
Communication Protocol (WCCP) which redirects traffic to the WSA.
Communication Protocol (WCCP) which redirects traffic to the WSA.
2.
The WSA is configured for ISE integration. It uses pxGrid in order to download information from the
ISE: user IP address 172.16.32.50 has been assigned SGT tag 2.
ISE: user IP address 172.16.32.50 has been assigned SGT tag 2.
3.
The WSA processes the HTTP request from the user and hits access policy PolicyForIT. That policy
is configured to block traffic to the sports sites. All other users (which do not belong to SGT 2) hit the
default access policy and have full access to the sports sites.
is configured to block traffic to the sports sites. All other users (which do not belong to SGT 2) hit the
default access policy and have full access to the sports sites.
4.
ASA-VPN
This is a VPN gateway configured for TrustSec. Detailed configuration is out of scope of this document.
Refer to these examples:
Refer to these examples:
ASA and Catalyst 3750X Series Switch TrustSec Configuration Example and Troubleshoot Guide
•
ASA Version 9.2 VPN SGT Classification and Enforcement Configuration Example
•