topic Re: SGT mapping to pxGrid learned users (Citrix TS agent example) in Network Access Control

SGT mapping to pxGrid learned users (Citrix TS agent example)

Istvan Segyik — Wed, 27 Feb 2019 09:04:43 GMT

Dear Colleagues,

I learned yesterday that our Terminal Services agent actually CAN put 'IP:port«»user' mapping data into pxGrid and WSA 11.8 is going to be able to read and use that data along AD group info taken through pxGrid 2.0. At least as far as I understood from the CX NPI training.

However as far as I understood SGT is not mapped to the user. I know that in TrustSec SGT can only be mapped to IP. But if the customer is using SGT aware Firewall or WSA Access rules where SGT is queried along with the user anyway, could we make ISE possible to add SGTs to these TS Agent published mappings somehow? Or could we make TS agent able to handle multiple SGTs and IP addresses and PAT the Virtual Desktop to the IP:SGT pair based on user attributes.

It might be a roadmap item to consider.

Istvan

Re: SGT mapping to pxGrid learned users (Citrix TS agent example)

kthumula — Tue, 05 Mar 2019 18:42:16 GMT

Istvan, very good question. As you said we are working towards a solution or rather I call an agent which would work with MS term sever or Citrix Environment where multiple users coming with a single IP would be allocated an IP per user from the proposed agent. ISE can then assign the SGTs for the users and in turn share those IP-SGT mappings via SXP and pxGrid to the rest of the network.

As far as timelines are concerned I cannot provide an estimate but it is in development.

Re: SGT mapping to pxGrid learned users (Citrix TS agent example)

netadmin111112 — Sun, 30 Jan 2022 11:30:39 GMT

Hi kthumula,

is there any news on this topic?

Is this already possible?

Best regards

Ralph

Re: SGT mapping to pxGrid learned users (Citrix TS agent example)

Mark Elsen — Sun, 30 Jan 2022 15:10:51 GMT

>.... I cannot provide an estimate but it is in development.

Re: SGT mapping to pxGrid learned users (Citrix TS agent example)

wagner — Wed, 02 Mar 2022 18:01:11 GMT

Do you need someone for testing?

Re: SGT mapping to pxGrid learned users (Citrix TS agent example)

thomas — Mon, 07 Mar 2022 00:10:54 GMT

Yes, there is a REST API to map an IP:port to a Username for virtual desktop environments or terminal services for Passive IDentity. See Cisco Identity Services Engine Passive Identity Connector Administrator Guide, Release 3.1 > Providers > API Calls

SGT represent a security group. The security group can represent any group of user or endpoints - it is up to you own how you define it. Typically ISE assigns an SGT based on an 802.1X Authentication but can be from any ISE Authorization Rule.

The terminal service or VDI system needs to send this information to ISE in order for it to propogate the information to a Firewall or WSA or other pxGrid Client.