08-03-2021 06:42 AM
Question on SGT Binding Source Priority. If I statically assign an SGT to a port, but then assign a SGT via ISE how is that resolved. The example would be I want to statically assign to a port but override the static assignment for the phone that may or may not be plugged into that port. I believe static port SGT and ISE assigned SGT fall into the LOCAL category of the SGT Binding Source Priority.
Solved! Go to Solution.
08-05-2021 08:31 AM
Greg,
It works if you use IBNS 2.0 configs:
service-templat APPLY-SGT-100
sgt 100
service-templat APPLY-SGT-200
sgt 200
!
policy-map type control subscriber ISE_AUTH_SGT_100
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-100
policy-map type control subscriber ISE_AUTH_SGT_200
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-200
!
interface gig 1/0/1
service-policy type control subscriber ISE_AUTH_100
interface gig 1/0/2
service-policy type control subscriber ISE_AUTH_200
ISE will override those settings if you apply SGT tag in ISE.
08-03-2021 04:48 PM
I don't believe this scenario is possible. L2 interface SGT static assignment is done using the 'cts manual' configuration on the switchport. The switch will not allow configuration of 'cts manual' on an 802.1x enabled switchport.
Example:
sw5(config-if)#cts manual Command rejected (Gi1/0/26): conflict with Dot1x Auth
08-05-2021 08:31 AM
Greg,
It works if you use IBNS 2.0 configs:
service-templat APPLY-SGT-100
sgt 100
service-templat APPLY-SGT-200
sgt 200
!
policy-map type control subscriber ISE_AUTH_SGT_100
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-100
policy-map type control subscriber ISE_AUTH_SGT_200
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-200
!
interface gig 1/0/1
service-policy type control subscriber ISE_AUTH_100
interface gig 1/0/2
service-policy type control subscriber ISE_AUTH_200
ISE will override those settings if you apply SGT tag in ISE.
04-20-2023 04:45 AM
Hi
i dont get how do you pass RADIUS assigned SGT to the above policy. from how i can see this whatever SGT will be sent by RADIUS during successful session on the example ports policy will always set the same SGT (either 100 or 200 depending on port)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide