An engineer is deploying Cisco ISE in a network that contains an existing Cisco Secure Firewall ASA. The customer requested that Cisco TrustSec be configured so that Cisco ISE and the firewall can share SGT information.
Which protocol must be configured on Cisco ISE to meet the requirement?
Answer(s): D
Explanation:
Cisco TrustSec uses Security Group Tags (SGTs) to implement security policies based on user roles and access permissions. To share SGT information between Cisco ISE and Cisco Secure Firewall ASA, the SGT Exchange Protocol (SXP) must be configured.
SXP: This protocol is specifically designed to exchange SGT information between devices that cannot propagate SGTs natively in their data plane (like ASA firewalls).
pxGrid: While it facilitates integration and sharing of policy information, it is not used for SGT propagation.
RADIUS: Used for authentication, authorization, and accounting, but not for SGT information sharing.
PAC (Protected Access Credential): Relevant for EAP-FAST authentication, not for SGT exchange.
By configuring SXP on both Cisco ISE and the ASA firewall, SGT mappings can be securely shared, allowing the firewall to enforce TrustSec policies.
Reveal Solution Next Question