https://community.cisco.com/t5/software-defined-access-sd-access/sda-closed-authentication-ip-sgt-mapping-delivery/m-p/4655950#M1953 <P>Hi Michal,</P> <P>The Edge switch should be properly provisioned to the Fabric Site, it should have obtained the AAA configuration from DNAC, should be able to reach Cisco ISE, and it should show as a network device on ISE as well.</P> <P>Try running the following commands for validation:</P> <LI-CODE lang="python">show run | sec aaa|radius test aaa group dnac-client-radius-group &lt;user&gt; &lt;password&gt; legacy show authentication sessions interface GiX/Y/Z detail &lt;&lt;&lt; For interfaces connecting to endpoints show cts pacs show cts environment-data show cts role-based sgt-map vrf &lt;vrf or VN name&gt; all det &lt;&lt;&lt;&lt; This should show the IP-SGT mapping for endpoints connected locally at least if any</LI-CODE> <P>If you are having Group-Based Policies configured in DNAC, and clients connected to the Edge belonging to the destination SGT, then you can also run:</P> <LI-CODE lang="python">show cts role-based permissions show cts role-based counters</LI-CODE> <P>&nbsp;I hope this verification helps.</P> <P>Regards,</P> Sat, 23 Jul 2022 14:59:42 GMT andresfr 2022-07-23T14:59:42Z https://community.cisco.com/t5/software-defined-access-sd-access/sda-closed-authentication-ip-sgt-mapping-delivery/m-p/4651072#M1944 <P>I want to use closed authentication on some ports in SDA environment so I've configured appropriate ISE authorization rules with SGT included. Authorization works fine but it seems EDGE switches are not aware of IP-SGT mappings. How EDGE switch could know about IP-SGT mapping when SGT is applied by ISE authorization rule?</P> Fri, 15 Jul 2022 08:55:01 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sda-closed-authentication-ip-sgt-mapping-delivery/m-p/4651072#M1944 Michal Rzepecki 2022-07-15T08:55:01Z https://community.cisco.com/t5/software-defined-access-sd-access/sda-closed-authentication-ip-sgt-mapping-delivery/m-p/4654228#M1949 <P>Hello,</P> <P>The IP-SGT mapping should be provided from the authorization policy from ISE. IP is provided in the form of IP pool and also ISE provides the SGT membership according the succesfull authorization.</P> <P>Marek</P> Wed, 20 Jul 2022 21:59:37 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sda-closed-authentication-ip-sgt-mapping-delivery/m-p/4654228#M1949 marek.golha 2022-07-20T21:59:37Z https://community.cisco.com/t5/software-defined-access-sd-access/sda-closed-authentication-ip-sgt-mapping-delivery/m-p/4655950#M1953 <P>Hi Michal,</P> <P>The Edge switch should be properly provisioned to the Fabric Site, it should have obtained the AAA configuration from DNAC, should be able to reach Cisco ISE, and it should show as a network device on ISE as well.</P> <P>Try running the following commands for validation:</P> <LI-CODE lang="python">show run | sec aaa|radius test aaa group dnac-client-radius-group &lt;user&gt; &lt;password&gt; legacy show authentication sessions interface GiX/Y/Z detail &lt;&lt;&lt; For interfaces connecting to endpoints show cts pacs show cts environment-data show cts role-based sgt-map vrf &lt;vrf or VN name&gt; all det &lt;&lt;&lt;&lt; This should show the IP-SGT mapping for endpoints connected locally at least if any</LI-CODE> <P>If you are having Group-Based Policies configured in DNAC, and clients connected to the Edge belonging to the destination SGT, then you can also run:</P> <LI-CODE lang="python">show cts role-based permissions show cts role-based counters</LI-CODE> <P>&nbsp;I hope this verification helps.</P> <P>Regards,</P> Sat, 23 Jul 2022 14:59:42 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sda-closed-authentication-ip-sgt-mapping-delivery/m-p/4655950#M1953 andresfr 2022-07-23T14:59:42Z