Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
1
Helpful
3
Replies

SD Access dynamic SGT, VN and IP pool assignment

KevinR99
Level 1
Level 1

‎09-05-2023 04:00 AM

I have a SDA lab and am testing dynamic assignment of SGT, VN and address pool.  I have one SSID and I want different AD users to be assigned to different VN's, pools and SGT's.

DNAC is my point of administration of my Trustsec policy.  When I create an SGT in DNAC I assign it to two VN's, call then Corp and Guests.  I was then expecting to go to ISE and see this SGT and its associated VN's propagated from DNAC via PxGrid.  However, I see the SGT but not the associated VN's.  So when I then try to create an authorization profile, for example Corp-user, I then want to assign them to the Corp VN and choose one of the pools allocated to that VN.  However, when I create the authz profile and go to Common tasks, tick Security Group I can select my SGT but the Virtual Network drop down box is empty.

I tried to resync the policy data in DNAC - Overview - Configurations - Policy settings but nothing changes. 

Is there some additional config I need to do to propagte the SGT to VN information to ISE so that I can use it in authz rules ?

I can actually see hat someone seems to have tested this before and there are authz profiles already doing this function and the VN's an SGT is assigned to in DNAC are available in the Virtual Networks drop down box.  I suspect this was a previous employee's work.

As usual, thanks for any input.

0 Helpful
3 Replies 3

KevinR99
Level 1
Level 1

‎09-05-2023 02:28 PM

I found this in the DNAC 2.3.4 user guide.

When Cisco DNA Center 2.3.3 or later is integrated with Cisco ISE 3.2 or later, security groups are not associated with virtual networks. Hence, the Virtual Networks field is not displayed for these releases. However, if you are using Cisco ISE 3.1 or earlier releases, the security group and virtual network association details are displayed.”

This would seem to explain the lack of VN info in ISE.  In which case how do I create an Authz profile that assigns a VN and/or address pool?  When I tick security group in the Common tasks area I have the drop down box to select the SGT then VN but nothing to select in VN and no option to select address pool.

Kev.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎09-05-2023 03:58 PM

ISE technically never understood or was aware of the VXLAN VN and IP Pool concepts. I believe this was removed in recent versions of ISE as it was actually found to be more restrictive and inflexible.

On the SDA side, the IP Pool would have a 1:1 relationship with the VLAN, so you would use the dynamic VLAN assignment in combination with the SGT in the ISE AuthZ Profile.

KevinR99
Level 1
Level 1
In response to Greg Gibbs

‎09-06-2023 02:09 PM

Thanks Greg.  

I’ve managed to test this and it works fine with the only thing being that using a vlan id doesn’t seem to work.  Instead I had to use the vlan name.  However, I was able to assign a vlan and SGT successfully and test my trustsec policies.

Thanks for your input.  Kev.

0 Helpful
Customers Also Viewed These Support Documents