Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2283
Views
40
Helpful
5
Replies

SGT mapping to pxGrid learned users (Citrix TS agent example)

Go to solution
Istvan Segyik
Cisco Employee
Cisco Employee

‎02-27-2019 01:04 AM

Dear Colleagues,

I learned yesterday that our Terminal Services agent actually CAN put 'IP:port«»user' mapping data into pxGrid and WSA 11.8 is going to be able to read and use that data along AD group info taken through pxGrid 2.0. At least as far as I understood from the CX NPI training.

However as far as I understood SGT is not mapped to the user. I know that in TrustSec SGT can only be mapped to IP. But if the customer is using SGT aware Firewall or WSA Access rules where SGT is queried along with the user anyway, could we make ISE possible to add SGTs to these TS Agent published mappings somehow? Or could we make TS agent able to handle multiple SGTs and IP addresses and PAT the Virtual Desktop to the IP:SGT pair based on user attributes.

It might be a roadmap item to consider. 

Istvan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 04:09 PM - edited ‎03-06-2022 04:10 PM

Yes, there is a REST API to map an IP:port to a Username for virtual desktop environments or terminal services for Passive IDentity.  See Cisco Identity Services Engine Passive Identity Connector Administrator Guide, Release 3.1ProvidersAPI Calls

SGT represent a security group. The security group can represent any group of user or endpoints - it is up to you own how you define it.   Typically ISE assigns an SGT based on an 802.1X Authentication but can be from any ISE Authorization Rule.

The terminal service or VDI system needs to send this information to ISE in order for it to propogate the information to a Firewall or WSA or other pxGrid Client.

View solution in original post

5 Replies 5

Go to solution
kthumula
Cisco Employee
Cisco Employee

‎03-05-2019 10:42 AM

Istvan, very good question. As you said we are working towards a solution or rather I call an agent which would work with MS term sever or Citrix Environment where multiple users coming with a single IP would be allocated an IP per user from the proposed agent. ISE can then assign the SGTs for the users and in turn share those IP-SGT mappings via SXP and pxGrid to the rest of the network.

As far as timelines are concerned I cannot provide an estimate but it is in development.

0 Helpful

Go to solution
netadmin111112
Level 1
Level 1
In response to kthumula

‎01-30-2022 03:30 AM

Hi kthumula,

is there any news on this topic?

Is this already possible?

Best regards

Ralph

Go to solution
marce1000
VIP
VIP
In response to netadmin111112

‎01-30-2022 07:10 AM

 

     >.... I cannot provide an estimate but it is in development.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
wagner
Level 1
Level 1
In response to marce1000

‎03-02-2022 10:01 AM

Do you need someone for testing?

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 04:09 PM - edited ‎03-06-2022 04:10 PM

Yes, there is a REST API to map an IP:port to a Username for virtual desktop environments or terminal services for Passive IDentity.  See Cisco Identity Services Engine Passive Identity Connector Administrator Guide, Release 3.1ProvidersAPI Calls

SGT represent a security group. The security group can represent any group of user or endpoints - it is up to you own how you define it.   Typically ISE assigns an SGT based on an 802.1X Authentication but can be from any ISE Authorization Rule.

The terminal service or VDI system needs to send this information to ISE in order for it to propogate the information to a Firewall or WSA or other pxGrid Client.

Customers Also Viewed These Support Documents