Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2451
Views
12
Helpful
3
Replies

SGT Binding Priority (Interface vs. ISE assigned)

Go to solution
paul
Level 10
Level 10

‎08-03-2021 06:42 AM

Question on SGT Binding Source Priority. If I statically assign an SGT to a port, but then assign a SGT via ISE how is that resolved. The example would be I want to statically assign to a port but override the static assignment for the phone that may or may not be plugged into that port. I believe static port SGT and ISE assigned SGT fall into the LOCAL category of the SGT Binding Source Priority.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Greg Gibbs

‎08-05-2021 08:31 AM

Greg,

 

It works if you use IBNS 2.0 configs:

 


service-templat APPLY-SGT-100
sgt 100
service-templat APPLY-SGT-200
sgt 200
!
policy-map type control subscriber ISE_AUTH_SGT_100
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-100
policy-map type control subscriber ISE_AUTH_SGT_200
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-200
!
interface gig 1/0/1
service-policy type control subscriber ISE_AUTH_100
interface gig 1/0/2
service-policy type control subscriber ISE_AUTH_200

 

ISE will override those settings if you apply SGT tag in ISE.

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-03-2021 04:48 PM

I don't believe this scenario is possible. L2 interface SGT static assignment is done using the 'cts manual' configuration on the switchport. The switch will not allow configuration of 'cts manual' on an 802.1x enabled switchport.

Example:

sw5(config-if)#cts manual 
Command rejected (Gi1/0/26): conflict with Dot1x Auth

Go to solution
paul
Level 10
Level 10
In response to Greg Gibbs

‎08-05-2021 08:31 AM

Greg,

 

It works if you use IBNS 2.0 configs:

 


service-templat APPLY-SGT-100
sgt 100
service-templat APPLY-SGT-200
sgt 200
!
policy-map type control subscriber ISE_AUTH_SGT_100
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-100
policy-map type control subscriber ISE_AUTH_SGT_200
event authentication-success match-all
10 class always do-until-failure
10 activate service-template APPLY-SGT-200
!
interface gig 1/0/1
service-policy type control subscriber ISE_AUTH_100
interface gig 1/0/2
service-policy type control subscriber ISE_AUTH_200

 

ISE will override those settings if you apply SGT tag in ISE.

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to paul

‎04-20-2023 04:45 AM

Hi
i dont get how do you pass RADIUS assigned SGT to the above policy. from how i can see this whatever SGT will be sent by RADIUS during successful session on the example ports policy will always set the same SGT (either 100 or 200 depending on port)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents