Cisco Secure Access effectively secures user-access in today’s complex, hybrid work environments by providing frictionless access to the internet, SaaS applications and private resources via:
The newest integration point within Cisco Secure Access is with Identity Services Engine, which enables the sharing of Secure Group Tags (SGTs) to achieve consistent policy enforcement with Secure Access in a Cisco TrustSec network.
Security Group Tags (SGTs) are a 16-bit label assigned to a user or device based on security criteria, typically tagged by user group or job function (i.e. Contractors, Employees, etc.) to allow specific policy to follow the user throughout the network, allowing organizations to achieve consistent policy for a specific group of users throughout the network, without the use of ACLs/ VLAN segmentation.
SGTs specify the privileges of a traffic source within the trusted network utilizing a feature called Security Group Access to apply SGT attributes to packets as they enter the network.
Secure Access now allows the ability to carry SGTs through network tunnels, which allows admins to write policy inside Secure Access based on SGT data as the traffic flows in-line.
These SGTs correspond to a user's assigned security group within ISE or TrustSec. Once ISE is configured as an identity source in Secure Access, it can utilize SGTs to filter traffic, creating context-aware security enforcement, allowing admins to create simple, yet granular, policy control towards internet/SaaS for branch users.
Some use-cases requiring context-aware security enforcement apply to Guest Users, Employees or IoT networks behind a Catalyst SD-WAN branch that require secure access to internet/SaaS applications, with Cisco Secure Access.
Prerequisites for ISE SGT Integration with Secure Access:
To enable this integration, the organization must have the following deployed in the environment:
What is pxGrid Cloud?
Cisco pxGrid Cloud is a cloud-based solution that enables you to share contextual information between on-premises applications, such as Cisco ISE and cloud-based solutions, such as Cisco Secure Access, without compromising the security of your network.
The pxGrid framework allows organizations to exchange contextual information with pxGrid-supported Cisco solutions as well as ecosystem partners.
pxGrid is an open framework that supports standards-based APIs and protocols, which allows it to easily integrate with both Cisco and third-party security solutions.
pxGrid is now offered as a cloud service for security SaaS solutions to integrate with ISE for context exchange and threat mitigation. pxGrid cloud allows organizations seamless data integration between cloud applications and on-premise ISE deployments.
pxGrid cloud is customizable, enabling you to share and consume only the data relevant to your organization.
How does the integration work?
At a high level, for ISE to share SGTs with Cisco Secure Access, ISE would need to be connected to Cisco PxGrid Cloud.
From there, admins would enable the Security Cloud Exchange in Cisco Secure Access.
The next step would be to integrate Cisco ISE with Cisco Secure Access and verify security group tags in Cisco Secure Access.
Once integrated, you would then incorporate SGTs into your access policy rules in Secure Access.
In summary, integrating ISE with Secure Access allows for the sharing of rich contextual data and consistent, secure policy to be extended into your Access Policies and considerations in Secure Access.
To learn more about using ModernCyber's Professional Services to deploy ISE and Cisco Secure Access Integrations, please reach out to the ModernCyber Team to learn more about our Consulting Services, Deployment, and Enablement Services!