1-13
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Objects
  Configuring Objects
Configuring Security Group Object Groups 
You can create security group object groups for use in features that support Cisco TrustSec by including 
the group in an extended ACL, which in turn can be used in an access rule, for example.
When integrated with Cisco TrustSec, the ASA downloads security group information from the ISE. The 
ISE acts as an identity repository, by providing Cisco TrustSec tag to user identity mapping and Cisco 
TrustSec tag to server resource mapping. You provision and manage security group access lists centrally 
on the ISE.
However, the ASA might have localized network resources that are not defined globally that require local 
security groups with localized security policies. Local security groups can contain nested security 
groups that are downloaded from the ISE. The ASA consolidates local and central security groups.
To create local security groups on the ASA, you create a local security object group. A local security 
object group can contain one or more nested security object groups or Security IDs or security group 
names. User can also create a new Security ID or security group name that does not exist on the ASA.
You can use the security object groups you create on the ASA to control access to network resources. 
You can use the security object group as part of an access group or service policy.
Prerequisites
See Chapter 1, “Configuring the ASA to Integrate with Cisco TrustSec,” to enable TrustSec.
Detailed Steps
Command Purpose
Step 1
object-group security objgrp_name
Example:
hostname(config)# object-group security 
mktg-sg
Creates a security group object.
Where objgrp_name is the name for the group entered as a 
32-byte case sensitive string.
The objgrp_name can contain any character including [a-z], 
[A-Z], [0-9], [!@#$%^&()-_{}. ].
Step 2
Add one or more of the following group members:
security-group {tag sgt# | name sg_name}
Example:
hostname(config)# security-group name mktg
Specifies the type of security group object as either an inline tag 
or a named object.
• tag sgt#—Enter a number from 1 to 65533 for a Tag security 
type.
• name sg_name—Enter a 32-byte case-sensitive string for a 
Name security type. The sg_name can contain any character 
including [a-z], [A-Z], [0-9], [!@#$%^&()-_{}. ].
An SGT is assigned to a device through IEEE 802.1X 
authentication, web authentication, or MAC authentication 
bypass (MAB) by the ISE. Security group names are created on 
the ISE and provide user-friendly names for security groups. The 
security group table maps SGTs to security group names.