View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0062 - ISE 1.1 Security Group Access (SGA) with ASA 9.1 TrustSec (Part 1)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>

The video demonstrates Cisco TrustSec support on Cisco ASA 9.1 with Cisco ISE. This lab is based on a 3750 switch that is not TrustSec hardware-capable but able to communicate IP-to-SGT mapping via SGT Exchange Protocol (SXP) to the ASA. We will be constructing an ACL based on SGT using the new Security object group. Cisco ISE will be mainly used to provide user authentication, SGT assignment, and the SGT-to-Name mapping to the ASA, although we will go over the remaining web interfaces for Security Group Access (SGA) and what you would need to configure to support the complete TrustSec implementation.

In part 1, we will configure Cisco ISE policies to perform basic user authentication and assign SGT to user. 
  • Security Group Access (SGA)
  • Security Group ACL (SGACL)
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)
  • SGT-to-Name Mapping
  • Cisco TrustSec support on ASA 9.1
  • SXP Config on a Switch and ASA
  • Security object Group
  • SXP uses TCP 64999 so can work multiple hop

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.