topic ISE Inline Posture and SGT in Network Access Control

ISE Inline Posture and SGT

valrerod — Mon, 11 Mar 2019 03:56:22 GMT

ISE Experts,

I'm doing research preparing for an SGT deployment.

We have Cisco ASA for VPN and iPEP for Posture enforecement.

The questions are:

1) Does iPEP support SGT?

2) Can I utilize SGT for VPN users?

Thanks,

Val

ISE Inline Posture and SGT

aqjaved — Mon, 30 Sep 2013 16:52:53 GMT

The Cisco TrustSec (CTS) architecture secures networks by establishing domains of trusted network devices. Once a network device authenticates with the network, the communication on the links between devices in the cloud is secured with a combination of encryption, message integrity checks, and replay protection mechanisms.

CTS use the user and device identification information acquired during the authentication phase to classify packets as they enter the network. CTS maintains classification of each packet or frame by tagging it with a security group tag (SGT) on ingress to the network so that it can be identified for applying security and other policy criteria along the data path. The tags allow network intermediaries such as switches and firewalls to enforce access control policy based on the classification.

Please check the below links which may be helpful for you in configurations:

Link-1

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sga_pol.pdf

Using Ipep for SGT probably

Gurudatt Pai — Wed, 04 Jun 2014 09:21:55 GMT

Using Ipep for SGT probably is not a use case that we've seen so far and i cant be sure if it was tested.

However with ASA 9.2 you can enforce SGT based policies on the VPN users without needing an Ipep.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117694-config-asa-00.html

Regards,

Gurudatt

ISE Escalation engineer | CCIE#28227

Cisco systems.

Here , in this scenario , I

Saurav Lodh — Thu, 05 Jun 2014 09:26:38 GMT

Here , in this scenario , I think the PSN would support SGT over ASA, not ipep

Hi,As we know that SGT is

abwahid — Thu, 05 Jun 2014 11:46:38 GMT

Hi,

As we know that SGT is Cisco-proprietary tagging system.
we just need to confirm before deployment, does NAD devices support SGT ?
so with ASA 9.2 you can use SGT for VPN users.

As per my understanding iPEP is another part it would not have any issue
with SGT enforcement policies.

Ipep would not be needed if

Gurudatt Pai — Tue, 10 Jun 2014 04:46:56 GMT

Ipep would not be needed if you use the tech note i pointed too. More over ,Ipep was a solution that was needed for VPN scenarios when ASA was not capable of supporting COA. Now with 9.2 since we do and this architecture is a more elegant solution than adding another hop (provided you're in Routed mode).