Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
185
Views
1
Helpful
2
Replies

RADIUS Accounting Format Requirement for IP/SGT Binding in ISE

Go to solution
rezaalikhani
VIP
VIP

‎07-02-2025 10:23 AM

Hi everyone,

According to the Advanced Security Group Tags presentation (BRKSEC-3707) from Cisco Live San Diego 2025, RADIUS accounting data must be formatted in a way that Cisco ISE can interpret in order to successfully bind a user's IP address to their associated SGT.

1.png

Could someone point me to an official Cisco document or guide that explains this requirement in detail?

Best regards,

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rezaalikhani
VIP
VIP
In response to wajidhassan

‎07-03-2025 09:57 AM - edited ‎07-03-2025 09:59 AM

Thanks. Your provided link helped me to understand the problem.

To help ISE to assign IP-SGT to a client/user session, it must have at least two pieces of information: 1) MAC Address, 2) IP Address. The IP Address part is reported to ISE by the participating NAD through RADIUS Accounting Request message and to enable NAD to do so, it must have some technologies to help it to find the IP address of the endpoint (Cisco switches do this function through (IP) Device Tracking feature). The second part of the equation involves forcing the NAD to report the required information. In Cisco switches you must execute two commands to accomplish this: 1) radius-server attribute 8 include-in-access-request, 2) (optional command in newer platforms) radius-server vsa send accounting

Without these configurations, ISE cannot correlate IPs to endpoints, breaking dynamic SGT assignment and TrustSec enforcement.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rezaalikhani
VIP
VIP
In response to wajidhassan

‎07-03-2025 09:57 AM - edited ‎07-03-2025 09:59 AM

Thanks. Your provided link helped me to understand the problem.

To help ISE to assign IP-SGT to a client/user session, it must have at least two pieces of information: 1) MAC Address, 2) IP Address. The IP Address part is reported to ISE by the participating NAD through RADIUS Accounting Request message and to enable NAD to do so, it must have some technologies to help it to find the IP address of the endpoint (Cisco switches do this function through (IP) Device Tracking feature). The second part of the equation involves forcing the NAD to report the required information. In Cisco switches you must execute two commands to accomplish this: 1) radius-server attribute 8 include-in-access-request, 2) (optional command in newer platforms) radius-server vsa send accounting

Without these configurations, ISE cannot correlate IPs to endpoints, breaking dynamic SGT assignment and TrustSec enforcement.

0 Helpful
Customers Also Viewed These Support Documents