Solved: Cisco ISE Security Group and Virtual network.

percybrathwaite · ‎11-05-2019

Where do you define the "Virtual Network" that is associated with the Security Group shown in the policy results configuration?

Mike.Cifelli · ‎11-05-2019

If your ISE cluster is integrated with DNAC for SDA you have to ensure that the host onboarding auth policy unique string matches in your ISE authz profiles otherwise your anycast GW will not come up. When you assign IP pools to your VNs under host onboarding you will see something like this: 192_168_0_0-Network1. You can then copy this string and paste it in your authz profile under the vlan check box. Then in your authz policy assign that profile and select the SGT you wish to assign under authz results. Good luck & HTH!

View solution in original post

JohnNewman7082 · ‎11-05-2019

This is part of SDA:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-sdg-2019oct.pdf

Mike.Cifelli · ‎11-05-2019

If your ISE cluster is integrated with DNAC for SDA you have to ensure that the host onboarding auth policy unique string matches in your ISE authz profiles otherwise your anycast GW will not come up. When you assign IP pools to your VNs under host onboarding you will see something like this: 192_168_0_0-Network1. You can then copy this string and paste it in your authz profile under the vlan check box. Then in your authz policy assign that profile and select the SGT you wish to assign under authz results. Good luck & HTH!