1-3
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring the ASA to Integrate with Cisco TrustSec
  Information About the ASA Integrated with Cisco TrustSec
Roles in the Cisco TrustSec Solution
To provide identity and policy-based access enforcement, the Cisco TrustSec solution includes the 
functionality: 
• Access Requestor (AR): Access requestors are end-point devices that request access to protected 
resources in the network. They are primary subjects of the architecture and their access privilege 
depends on their Identity credentials. 
Access requestors include end-point devices such PCs, laptops, mobile phones, printers, cameras, 
and MACsec-capable IP phones.
• Policy Decision Point (PDP): A policy decision point is responsible for making access control 
decisions. The PDP provides features such as 802.1x, MAB, and Web authentication. The PDP 
supports authorization and enforcement through VLAN, DACL, and security group access 
(SGACL/SXP/SGT).
In the Cisco TrustSec solution, the Cisco Identity Services Engine (ISE) acts as the PDP. The Cisco 
ISE provides identity and access control policy functionality. 
• Policy Information Point (PIP): A policy information point is a source that provides external 
information (for example, reputation, location, and LDAP attributes) to policy decision points.
Policy information points include devices such as Session Directory, Sensors IPS, and 
Communication Manager.
• Policy Administration Point (PAP): A policy administration point defines and inserts policies into 
authorization system. The PAP acts as an identity repository, by providing Cisco TrustSec tag to user 
identity mapping and Cisco Trustsec tag to server resource mapping.
In the Cisco TrustSec solution, the Cisco Secure Access Control System (a policy server with 
integrated 802.1x and SGT support) acts as the PAP.
• Policy Enforcement Point (PEP): A policy enforcement point is the entity that carries out the 
decisions (policy rules and actions) made by the PDP for each AR. PEP devices learn identity 
information through the primary communication path that exists across networks. PEP devices learn 
the identity attributes of each AR from many sources, such as end-point agents, authorization 
servers, peer-enforcement devices, and network flows. In turn, PEP devices use SXP to propagate 
IP-SGT mappings to mutually-trusted peer devices across the network.
Policy enforcement points include network devices such as Catalyst switches, routers, firewalls 
(specifically the ASA), servers, VPN devices, and SAN devices.
The ASA serves the role of the PEP in the identity architecture. Using SXP, the ASA learns identity 
information directly from authentication points and uses that to enforce identity-based policies.
Security Group Policy Enforcement 
Security policy enforcement is based on security group name. An end-point device attempts to access a 
resource in the data center. Compared to traditional IP-based policies configured on firewalls, 
identity-based policies are configured based on user and device identities. For example, mktg-contractor 
is allowed to access mktg-servers; mktg-corp-users are allowed to access mktg-server and corp-servers.
The benefits of this type of deployment include:
• User group and Resource is defined and enforced using single object (SGT) – simplified policy 
management.