https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4444972#M568880 <P>Greg,</P><P>&nbsp;</P><P>It works if you use IBNS 2.0 configs:</P><P>&nbsp;</P><P><BR />service-templat APPLY-SGT-100<BR />sgt 100<BR />service-templat APPLY-SGT-200<BR />sgt 200<BR />!<BR />policy-map type control subscriber ISE_AUTH_SGT_100<BR />event authentication-success match-all<BR />10 class always do-until-failure<BR />10 activate service-template APPLY-SGT-100<BR />policy-map type control subscriber ISE_AUTH_SGT_200<BR />event authentication-success match-all<BR />10 class always do-until-failure<BR />10 activate service-template APPLY-SGT-200<BR />!<BR />interface gig 1/0/1<BR />service-policy type control subscriber ISE_AUTH_100<BR />interface gig 1/0/2<BR />service-policy type control subscriber ISE_AUTH_200</P><P>&nbsp;</P><P>ISE will override those settings if you apply SGT tag in ISE.</P> Thu, 05 Aug 2021 15:31:43 GMT paul 2021-08-05T15:31:43Z https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4443470#M568830 <P>Question on SGT Binding Source Priority. If I statically assign an SGT to a port, but then assign a SGT via ISE how is that resolved. The example would be I want to statically assign to a port but override the static assignment for the phone that may or may not be plugged into that port. I believe static port SGT and ISE assigned SGT fall into the LOCAL category of the SGT Binding Source Priority.</P> Tue, 03 Aug 2021 13:42:45 GMT https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4443470#M568830 paul 2021-08-03T13:42:45Z https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4443774#M568835 <P>I don't believe this scenario is possible. L2 interface SGT static assignment is done using the 'cts manual' configuration on the switchport. The switch will not allow configuration of 'cts manual' on an 802.1x enabled switchport.</P> <P>Example:</P> <PRE>sw5(config-if)#cts manual Command rejected (Gi1/0/26): conflict with Dot1x Auth</PRE> Tue, 03 Aug 2021 23:48:44 GMT https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4443774#M568835 Greg Gibbs 2021-08-03T23:48:44Z https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4444972#M568880 <P>Greg,</P><P>&nbsp;</P><P>It works if you use IBNS 2.0 configs:</P><P>&nbsp;</P><P><BR />service-templat APPLY-SGT-100<BR />sgt 100<BR />service-templat APPLY-SGT-200<BR />sgt 200<BR />!<BR />policy-map type control subscriber ISE_AUTH_SGT_100<BR />event authentication-success match-all<BR />10 class always do-until-failure<BR />10 activate service-template APPLY-SGT-100<BR />policy-map type control subscriber ISE_AUTH_SGT_200<BR />event authentication-success match-all<BR />10 class always do-until-failure<BR />10 activate service-template APPLY-SGT-200<BR />!<BR />interface gig 1/0/1<BR />service-policy type control subscriber ISE_AUTH_100<BR />interface gig 1/0/2<BR />service-policy type control subscriber ISE_AUTH_200</P><P>&nbsp;</P><P>ISE will override those settings if you apply SGT tag in ISE.</P> Thu, 05 Aug 2021 15:31:43 GMT https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4444972#M568880 paul 2021-08-05T15:31:43Z https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4818528#M581318 <P>Hi<BR />i dont get how do you pass RADIUS assigned SGT to the above policy. from how i can see this whatever SGT will be sent by RADIUS during successful session on the example ports policy will always set the same SGT (either 100 or 200 depending on port)</P> Thu, 20 Apr 2023 11:45:35 GMT https://community.cisco.com/t5/network-access-control/sgt-binding-priority-interface-vs-ise-assigned/m-p/4818528#M581318 Andrii Oliinyk 2023-04-20T11:45:35Z