Generate The Pac File; Guidelines For Cisco Trustsec - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Chapter 6
ASA and Cisco TrustSec
2.
3.
4.
Generate the PAC File
To generate the PAC file, perform the following steps:
1.
2.
3.
4.
5.
The ISE generates the PAC file. The ASA can import the PAC file from flash or from a remote server via
TFTP, FTP, HTTP, HTTPS, or SMB. (The PAC file does not have to reside on the ASA flash before you
can import it.)
The PAC file includes a shared key that allows the ASA and ISE to secure the RADIUS transactions that
Note
occur between them. For this reason, make sure that you store it securely on the ASA.
Guidelines for Cisco TrustSec
This section includes the guidelines and limitations that you should review before configuring Cisco
TrustSec.
Failover
•
•
•
Clustering
•
•
Choose Policy > Policy Elements > Results > Security Group Access > Security Group.
Add a security group for the ASA. (Security groups are global and not ASA specific.)
The ISE creates an entry under Security Groups with a tag.
In the Security Group Access area, configure device ID credentials and a password for the ASA.
Log into the ISE.
Choose Administration > Network Resources > Network Devices.
From the list of devices, choose the ASA.
Under the Security Group Access (SGA), click Generate PAC.
To encrypt the PAC file, enter a password.
The password (or encryption key) that you enter to encrypt the PAC file is independent of the
password that was configured on the ISE as part of the device credentials.
Supports a list of servers via configuration. If the first server is unreachable, the ASA tries to contact
the second server in the list, and so on. However, the server list downloaded as part of the Cisco
TrustSec environment data is ignored.
When the ASA is part of a failover configuration, you must import the PAC file to the primary ASA
device.
When the ASA is part of a failover configuration, you must refresh the environment data on the
primary ASA device.
When the ASA is part of a clustering configuration, you must import the PAC file to the master unit.
When the ASA is part of a clustering configuration, you must refresh the environment data on the
master unit.
Cisco ASA Series Firewall CLI Configuration Guide
Guidelines for Cisco TrustSec
6-11
Hide quick links:
Table of Contents
Troubleshooting
