Solved: TrsutSec SGT Question

SecurityJumbo · ‎12-03-2022

Hello guys,

I have been using ISE radius policy to assign the Security Group and it was working fine. Now, I'm using a third part tool to assign the SGT on the cisco switch interface (access port) using the SSH connection and keep the TrustSec policy on ISE.

The SGT is assigned successfully based on the switch logs and I can see the TrustSec policy action result from "show cts role-base permission" command, but I don't see the SGT in "show authentication session int <> details" and nothing shows in the TrustSec dashboard.

I need help about how to check and verify the SGT is assigned on the interface. How to track this activity on the logs or TrustSec dashboard.

Rob Ingram · ‎12-06-2022

@SecurityJumbo if the 3rd party tool is assigning the SGT to the endpoint/user, ISE would not know about this.

You'd need ISE to assign the SGT if you wish ISE to have visibilty into the IP/SGT/User bindings.

View solution in original post

Damien Miller · ‎12-06-2022

That is correct, ISE will not know about the SGT assigned directly to an endpoint/switch via SSH. The SGT of an endpoint is not sent to ISE in the accounting packets.

One method of instructing ISE which IP-SGT bindings are being created on the CLI is to create an SXP speaker connection from the switch to ISE. This would result in ISE learning the IP-SGT bindings the third party tool is creating in a dynamic way via the SXP connection.

But this doesn't help a whole lot to create reporting or logs. It just gets all the ip-sgt bindings in one place, ISE won't really have an association of session "X" has sgt "X". For that reason you still want ISE assigning SGTs during authorization.

View solution in original post

balaji.bandi · ‎12-03-2022

Now, I'm using a third part tool to assign the SGT on the cisco switch interface (access port) using the SSH connection

what tool is this, and how is your config on the switch ?

can you post the output full of what you mentioned :

show cts role-base permission

and

show authentication session int <> details

what logs you on the ISE and also if you enable debug in switch do you see anything ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎12-03-2022

@SecurityJumbo Is the SGT assigned per authenticated session (user/endpoint)? Or are you pushing an interface-to-SGT/subnet-to-SGT mapping?

Why are you not using ISE to assign the SGT?

When you run show cts role-based sgt-map all do you see the IP/SGT bindings?

SecurityJumbo · ‎12-06-2022

Hey,

It is assigning the SGT for the endpoint based on the ip address. I was able to find a way to verify that on the cisco switch, but I don't see anything on ISE radius logs discovering that SGT. Any idea ??

Rob Ingram · ‎12-06-2022

@SecurityJumbo if the 3rd party tool is assigning the SGT to the endpoint/user, ISE would not know about this.

You'd need ISE to assign the SGT if you wish ISE to have visibilty into the IP/SGT/User bindings.

SecurityJumbo · ‎12-06-2022

Hey @Rob Ingram I was thinking the same as well. The third part tool is assigning the SGT in the cisco switch via SSH based on the endpoint ip address. The ISE will not be able to determine the SGT in the Radius Live logs even though the aaa accounting is enabled, right ??

Damien Miller · ‎12-06-2022

That is correct, ISE will not know about the SGT assigned directly to an endpoint/switch via SSH. The SGT of an endpoint is not sent to ISE in the accounting packets.

One method of instructing ISE which IP-SGT bindings are being created on the CLI is to create an SXP speaker connection from the switch to ISE. This would result in ISE learning the IP-SGT bindings the third party tool is creating in a dynamic way via the SXP connection.

But this doesn't help a whole lot to create reporting or logs. It just gets all the ip-sgt bindings in one place, ISE won't really have an association of session "X" has sgt "X". For that reason you still want ISE assigning SGTs during authorization.