cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
10
Helpful
6
Replies

TrsutSec SGT Question

SecurityJumbo
Beginner
Beginner

Hello guys,

I have been using ISE radius policy to assign the Security Group and it was working fine. Now, I'm using a third part tool to assign the SGT on the cisco switch interface (access port) using the SSH connection and keep the TrustSec policy on ISE.

The SGT is assigned successfully based on the switch logs and I can see the TrustSec policy action result from "show cts role-base permission" command, but I don't see the SGT in "show authentication session int <> details" and nothing shows in the TrustSec dashboard.

I need help about how to check and verify the SGT is assigned on the interface. How to track this activity on the logs or TrustSec dashboard.

2 Accepted Solutions

Accepted Solutions

@SecurityJumbo if the 3rd party tool is assigning the SGT to the endpoint/user, ISE would not know about this.

You'd need ISE to assign the SGT if you wish ISE to have visibilty into the IP/SGT/User bindings.

View solution in original post

That is correct, ISE will not know about the SGT assigned directly to an endpoint/switch via SSH. The SGT of an endpoint is not sent to ISE in the accounting packets. 

One method of instructing ISE which IP-SGT bindings are being created on the CLI is to create an SXP speaker connection from the switch to ISE. This would result in ISE learning the IP-SGT bindings the third party tool is creating in a dynamic way via the SXP connection. 

But this doesn't help a whole lot to create reporting or logs. It just gets all the ip-sgt bindings in one place, ISE won't really have an association of session "X" has sgt "X". For that reason you still want ISE assigning SGTs during authorization. 

View solution in original post

6 Replies 6

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend
Now, I'm using a third part tool to assign the SGT on the cisco switch interface (access port) using the SSH connection

what tool is this, and how is your config on the switch ?

can you post the output full of what you mentioned :

show cts role-base permission

and 

show authentication session int <> details

 

what logs you on the ISE and also if you enable debug in switch do you see anything ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@SecurityJumbo Is the SGT assigned per authenticated session (user/endpoint)? Or are you pushing an interface-to-SGT/subnet-to-SGT mapping?

Why are you not using ISE to assign the SGT?

When you run show cts role-based sgt-map all do you see the IP/SGT bindings?

SecurityJumbo
Beginner
Beginner

Hey,

It is assigning the SGT for the endpoint based on the ip address. I was able to find a way to verify that on the cisco switch, but I don't see anything on ISE radius logs discovering that SGT. Any idea ??

@SecurityJumbo if the 3rd party tool is assigning the SGT to the endpoint/user, ISE would not know about this.

You'd need ISE to assign the SGT if you wish ISE to have visibilty into the IP/SGT/User bindings.

Hey @Rob Ingram I was thinking the same as well. The third part tool is assigning the SGT in the cisco switch via SSH based on the endpoint ip address. The ISE will not be able to determine the SGT in the Radius Live logs even though the aaa accounting is enabled, right ??

That is correct, ISE will not know about the SGT assigned directly to an endpoint/switch via SSH. The SGT of an endpoint is not sent to ISE in the accounting packets. 

One method of instructing ISE which IP-SGT bindings are being created on the CLI is to create an SXP speaker connection from the switch to ISE. This would result in ISE learning the IP-SGT bindings the third party tool is creating in a dynamic way via the SXP connection. 

But this doesn't help a whole lot to create reporting or logs. It just gets all the ip-sgt bindings in one place, ISE won't really have an association of session "X" has sgt "X". For that reason you still want ISE assigning SGTs during authorization. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers