https://community.cisco.com/t5/network-access-control/trustsec-and-areohive-wireless/m-p/3474683#M493328 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">I have a customer who is implementing Cisco Trustsec with ISE as the authenticator. The Areohive wireless is authenticating against ISE.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">The Areohive APs are plugged in to a Cisco 3650 switch, is it possible to assign a SGT to en endpoint on the wireless network and add the tag as they enter the trustsec domain? </P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Thank You,</P><P style="font-size: 13.3333px;">-Cor</P></BODY></HTML> Mon, 11 Mar 2019 07:09:19 GMT Cory Peterson 2019-03-11T07:09:19Z https://community.cisco.com/t5/network-access-control/trustsec-and-areohive-wireless/m-p/3474683#M493328 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">I have a customer who is implementing Cisco Trustsec with ISE as the authenticator. The Areohive wireless is authenticating against ISE.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">The Areohive APs are plugged in to a Cisco 3650 switch, is it possible to assign a SGT to en endpoint on the wireless network and add the tag as they enter the trustsec domain? </P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Thank You,</P><P style="font-size: 13.3333px;">-Cor</P></BODY></HTML> Mon, 11 Mar 2019 07:09:19 GMT https://community.cisco.com/t5/network-access-control/trustsec-and-areohive-wireless/m-p/3474683#M493328 Cory Peterson 2019-03-11T07:09:19Z https://community.cisco.com/t5/network-access-control/trustsec-and-areohive-wireless/m-p/3474684#M493331 <HTML><HEAD></HEAD><BODY><P>Hi Cory,</P><P>interesting that the Aerohive is not listed in the ISE compatibility guide and you say you are authenticating against ISE:</P><P><A href="http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html" title="http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html">http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html</A></P><P></P><P>If you were indeed authenticating wireless users against ISE, (and accounting is operational in order to build a complete session in ISE), then SXP could be used on ISE to forward the IP-SGT mapping towards an enforcement point.</P><P></P><P>However, I am concerned that the AP is not compatible as I do not see it in the matrix. Therefore, what you could do is add VLAN-SGT mapping on the 3650. Each wireless SSID, mapped to a VLAN, can have SGT's assigned on the 3650 via static VLAN-SGT mapping.</P><P></P><P>Will that work for you?</P><P></P><P>Regards, Jonothan.</P></BODY></HTML> Fri, 14 Oct 2016 14:17:18 GMT https://community.cisco.com/t5/network-access-control/trustsec-and-areohive-wireless/m-p/3474684#M493331 jeaves@cisco.com 2016-10-14T14:17:18Z https://community.cisco.com/t5/network-access-control/trustsec-and-areohive-wireless/m-p/3474685#M493338 <HTML><HEAD></HEAD><BODY><P>The Areohive is working for basic Radius Authentication and we are able to dynamically change VLANs on the Areohive using Radius attributes in ISE. </P><P></P><P>My suggestion to the client was to use multiple VLANs and VLAN-SGT mappings also, but they did not want to go that route.</P><P></P><P>So I should be able to use the AP Uplink as the enforcement point?</P><P></P><P>Will let you know how it goes. </P><P></P><P>-Cory</P></BODY></HTML> Fri, 14 Oct 2016 14:39:55 GMT https://community.cisco.com/t5/network-access-control/trustsec-and-areohive-wireless/m-p/3474685#M493338 Cory Peterson 2016-10-14T14:39:55Z