Cisco ASA Series Cli Configuration Manual page 547

Chapter 1 Configuring Objects
Configuring Security Group Object Groups
You can create security group object groups for use in features that support Cisco TrustSec by including
the group in an extended ACL, which in turn can be used in an access rule, for example.
When integrated with Cisco TrustSec, the ASA downloads security group information from the ISE. The
ISE acts as an identity repository, by providing Cisco TrustSec tag to user identity mapping and Cisco
TrustSec tag to server resource mapping. You provision and manage security group access lists centrally
on the ISE.
However, the ASA might have localized network resources that are not defined globally that require local
security groups with localized security policies. Local security groups can contain nested security
groups that are downloaded from the ISE. The ASA consolidates local and central security groups.
To create local security groups on the ASA, you create a local security object group. A local security
object group can contain one or more nested security object groups or Security IDs or security group
names. User can also create a new Security ID or security group name that does not exist on the ASA.
You can use the security object groups you create on the ASA to control access to network resources.
You can use the security object group as part of an access group or service policy.
Prerequisites
See
Detailed Steps
Command
Step 1
object-group security objgrp_name
Example:
hostname(config)# object-group security
mktg-sg
Step 2
Add one or more of the following group members:
security-group {tag sgt# | name sg_name}
Example:
hostname(config)# security-group name mktg
Chapter 1, "Configuring the ASA to Integrate with Cisco TrustSec,"
Purpose
Creates a security group object.
Where objgrp_name is the name for the group entered as a
32-byte case sensitive string.
The objgrp_name can contain any character including [a-z],
[A-Z], [0-9], [!@#$%^&()-_{}. ].
Specifies the type of security group object as either an inline tag
or a named object.
•
tag sgt#—Enter a number from 1 to 65533 for a Tag security
type.
•
name sg_name—Enter a 32-byte case-sensitive string for a
Name security type. The sg_name can contain any character
including [a-z], [A-Z], [0-9], [!@#$%^&()-_{}. ].
An SGT is assigned to a device through IEEE 802.1X
authentication, web authentication, or MAC authentication
bypass (MAB) by the ISE. Security group names are created on
the ISE and provide user-friendly names for security groups. The
security group table maps SGTs to security group names.
Cisco ASA Series CLI Configuration Guide
Configuring Objects
to enable TrustSec.
1-13