Introduction
Este documento descreve como configurar uma conexão SXP (Security Group Exchange Protocol) entre o ISE (Identity Services Engine) e um ASAv (virtual Adaptive Security Appliance).
O SXP é o protocolo SGT (Security Group Tag) Exchange usado pelo TrustSec para propagar mapeamentos de IP para SGT para dispositivos TrustSec. O SXP foi desenvolvido para permitir que as redes que incluem dispositivos de terceiros ou dispositivos antigos da Cisco que não suportam marcação em linha SGT tenham recursos TrustSec. O SXP é um protocolo de peering, um dispositivo atuará como um alto-falante e o outro como um ouvinte. O alto-falante do SXP é responsável por enviar as associações IP-SGT e o ouvinte é responsável por coletar essas associações. A conexão SXP usa a porta TCP 64999 como o protocolo de transporte subjacente e MD5 para integridade/autenticidade da mensagem.
O SXP foi publicado como um rascunho da IETF no link a seguir:
https://datatracker.ietf.org/doc/draft-smith-kandula-sxp/
Prerequisites
Requirements
Matriz de compatibilidade TrustSec:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/solution-overview-listing.html
Componentes Utilizados
ISE 2.3
ASAv 9.8.1
ASDM 7.8.1.150
Diagrama de Rede
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-00.png)
Endereços IP
ISE: 14.36.143.223
ASAv: 14.36.143.30
Configuração inicial
Dispositivo de rede ISE
Registrar o ASA como um dispositivo de rede
Centros de Trabalho > TrustSec > Componentes > Dispositivos de Rede > Adicionar
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-01.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-02.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-03.jpeg)
Gerar PAC fora da banda (OOB) (Credencial de Acesso Protegido) e transferir
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-04.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-05.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-06.jpeg)
Configuração do servidor ASDM AAA
Criar grupo de servidores AAA
Configuração > Firewall > Identity by TrustSec > Server Group Setup > Manage...
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-07.jpeg)
Grupos de servidores AAA > Adicionar
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-08.jpeg)
- Grupo de servidores AAA: <Nome do grupo>
- Habilitar autorização dinâmica
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-09.jpeg)
Adicionar servidor ao grupo de servidores
Servidores no Grupo Selecionado > Adicionar
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-10.jpeg)
- Nome do servidor ou endereço IP: <Endereço IP do ISE>
- Porta de autenticação do servidor: 1812
- Porta de relatório do servidor: 1813
- Chave secreta do servidor: Cisco0123
- Senha comum: Cisco0123
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-11.jpeg)
Importar PAC baixado do ISE
Configuração > Firewall > Identity by TrustSec > Server Group Setup > Import PAC...
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-12.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-13.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-14.jpeg)
Atualizar dados do ambiente
Configuração > Firewall > Identity by TrustSec > Server Group Setup > Refresh Environment Data
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-15.jpeg)
Verificação
Logs ao vivo do ISE
Operações > RADIUS > Logs ao vivo
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-16.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-17.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-18.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-19.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-20.jpeg)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-21.jpeg)
Grupos de segurança do ISE
Centros de Trabalho > TrustSec > Componentes > Grupos de Segurança
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-22.jpeg)
PAC de ASDM
Monitoramento > Propriedades > Identidade por TrustSec > PAC
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-23.jpeg)
Grupos de dados e segurança do ambiente ASDM
Monitoramento > Propriedades > Identidade por TrustSec > Dados de ambiente
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-24.jpeg)
Configuração do ASDM SXP
Habilitar SXP
Configuração > Firewall > Identity by TrustSec > Enable SGT Exchange Protocol (SXP)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-25.jpeg)
Definir o endereço IP de origem padrão do SXP e a senha padrão do SXP
Configuração > Firewall > Identity by TrustSec > Connection Peers (Configuração > Firewall > Identidade por TrustSec > Peers de conexão)
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-26.jpeg)
Adicionar par SXP
Configuração > Firewall > Identity by TrustSec > Connection Peers > Add
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-27.jpeg)
- Endereço IP do peer: <Endereço IP do ISE>
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-28.jpeg)
Configuração do ISE SXP
Configuração de senha do Global SXP
WorkCenters > TrustSec > Settings > SXP Settings
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-29.jpeg)
Adicionar dispositivo SXP
WorkCenters > TrustSec > SXP > Dispositivos SXP > Adicionar
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-30.jpeg)
Verificação SXP
verificação de ISE SXP
WorkCenters > TrustSec > SXP > Dispositivos SXP
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-31.jpeg)
Mapeamentos ISE SXP
WorkCenters > TrustSec > SXP > Todos os mapeamentos SXP
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-32.jpeg)
verificação ASDM SXP
Monitoramento > Propriedades > Identidade por TrustSec > Conexões SXP
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-33.jpeg)
O ASDM aprendeu IP SXP para mapeamentos SGT
Monitoramento > Propriedades > Identidade por TrustSec > Mapeamentos IP
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-34.jpeg)
Captura de pacote tirada no ISE
![](/c/dam/en/us/support/docs/security/identity-services-engine/212202-configure-trustsec-sxp-between-ise-and-a-35.jpeg)