Showing results for 
Search instead for 
Did you mean: 

Cisco ISE with Microsoft Always on

Is there is any way we can have ISE integrate with an always-on VPN? here is what I have in mind 


User John is part of HR, when he connects to the VPN he will get IP from 10.10.x.x 

User bob is Part of IT , he will get IP from 10.10.y.y 


the main reason why I need this so we can use SGT to IP mapping to enforce policies for users connected to the VPN. 

1 Accepted Solution

Accepted Solutions

If ISE is your AAA/RADIUS server for your VPN users, you assign an SGT for a group-based policy enforcement by your VPN. This happens as part of the Authorization Policy with the RADIUS Accept-Accept and authorization attributes.

If you have pxGrid configured, ISE will share the IP-to-SGT mapping (IP learned from VPN by RADIUS accounting and SGT from authorization profile) to the pxGrid-registered SXP peers.

See User to DC Access Control Design Guide for the general design and process.

View solution in original post