Introduction
This document describes how to configure an SXP (Security Group Exchange Protocol) connection between ISE (Identity Services Engine) and an ASAv (virtual Adaptive Security Appliance).
SXP is the SGT (Security Group Tag) Exchange Protocol used by TrustSec to propagate IP to SGT mappings to TrustSec Devices. SXP was developed to allow networks including third party devices or legacy Cisco devices which do not support SGT inline tagging to have TrustSec capabilities. SXP is a peering protocol, one device will act as a Speaker and the other as a Listener. The SXP speaker is responsilbe for sending the IP-SGT bindings and the listener is responsible for collecting these bindings. The SXP connection uses TCP port 64999 as the underlying transport protocol and MD5 for message integrity/authenticity.
SXP has been published as an IETF Draft at the following link:
https://datatracker.ietf.org/doc/draft-smith-kandula-sxp/
Prerequisites
Requirements
TrustSec Compatibility Matrix:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html
Components Used
ISE 2.3
ASAv 9.8.1
ASDM 7.8.1.150
Network Diagram
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-00.png)
IP Addresses
ISE: 14.36.143.223
ASAv: 14.36.143.30
Initial Configuration
ISE Network Device
Register ASA as a Network Device
WorkCenters > TrutSec > Components > Network Devices > Add
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-01.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-02.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-03.jpeg)
Generate Out Of Band (OOB) PAC (Protected Access Credential) and download
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-04.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-05.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-06.jpeg)
ASDM AAA server Configuration
Create AAA server group
Configuration > Firewall > Identity by TrustSec > Server Group Setup > Manage...
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-07.jpeg)
AAA Server Groups > Add
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-08.jpeg)
- AAA Server Group: <Group Name>
- Enable dynamic authorization
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-09.jpeg)
Add server to server group
Servers in the Selected Group > Add
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-10.jpeg)
- Server Name or IP Address: <ISE IP address>
- Server Authentication Port: 1812
- Server Accounting Port: 1813
- Server Secret Key: Cisc0123
- Common Password: Cisc0123
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-11.jpeg)
Import PAC downloaded from ISE
Configuration > Firewall > Identity by TrustSec > Server Group Setup > Import PAC...
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-12.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-13.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-14.jpeg)
Refresh Environment Data
Configuration > Firewall > Identity by TrustSec > Server Group Setup > Refresh Environment Data
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-15.jpeg)
Verification
ISE live logs
Operations > RADIUS > Live Logs
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-16.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-17.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-18.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-19.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-20.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-21.jpeg)
ISE Security Groups
Work Centers > TrustSec > Components > Security Groups
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-22.jpeg)
ASDM PAC
Monitoring > Properties > Identity by TrustSec > PAC
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-23.jpeg)
ASDM Environment Data and Security Groups
Monitoring > Properties > Identity by TrustSec > Environment Data
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-24.jpeg)
ASDM SXP Configuration
Enable SXP
Configuration > Firewall > Identity by TrustSec > Enable SGT Exchange Protocol (SXP)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-25.jpeg)
Set Default SXP Source IP address and Default SXP password
Configuration > Firewall > Identity by TrustSec > Connection Peers
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-26.jpeg)
Add SXP Peer
Configuration > Firewall > Identity by TrustSec > Connection Peers > Add
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-27.jpeg)
- Peer IP Address: <ISE IP Address>
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-28.jpeg)
ISE SXP Configuration
Global SXP password setting
WorkCenters > TrustSec > Settings > SXP Settings
- Global Password: Cisc0123
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-29.jpeg)
Add SXP Device
WorkCenters > TrustSec > SXP > SXP Devices > Add
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-30.jpeg)
SXP Verification
ISE SXP verification
WorkCenters > TrustSec > SXP > SXP Devices
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-31.jpeg)
ISE SXP Mappings
WorkCenters > TrustSec > SXP > All SXP Mappings
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-32.jpeg)
ASDM SXP verification
Monitoring > Properties > Identity by TrustSec > SXP Connections
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-33.jpeg)
ASDM learned SXP IP to SGT Mappings
Monitoring > Properties > Identity by TrustSec > IP Mappings
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-34.jpeg)
Packet Capture Taken on ISE
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-35.jpeg)