12-03-2022 01:37 AM
Hello guys,
I have been using ISE radius policy to assign the Security Group and it was working fine. Now, I'm using a third part tool to assign the SGT on the cisco switch interface (access port) using the SSH connection and keep the TrustSec policy on ISE.
The SGT is assigned successfully based on the switch logs and I can see the TrustSec policy action result from "show cts role-base permission" command, but I don't see the SGT in "show authentication session int <> details" and nothing shows in the TrustSec dashboard.
I need help about how to check and verify the SGT is assigned on the interface. How to track this activity on the logs or TrustSec dashboard.
Solved! Go to Solution.
12-06-2022 10:06 AM
@SecurityJumbo if the 3rd party tool is assigning the SGT to the endpoint/user, ISE would not know about this.
You'd need ISE to assign the SGT if you wish ISE to have visibilty into the IP/SGT/User bindings.
12-06-2022 02:36 PM
That is correct, ISE will not know about the SGT assigned directly to an endpoint/switch via SSH. The SGT of an endpoint is not sent to ISE in the accounting packets.
One method of instructing ISE which IP-SGT bindings are being created on the CLI is to create an SXP speaker connection from the switch to ISE. This would result in ISE learning the IP-SGT bindings the third party tool is creating in a dynamic way via the SXP connection.
But this doesn't help a whole lot to create reporting or logs. It just gets all the ip-sgt bindings in one place, ISE won't really have an association of session "X" has sgt "X". For that reason you still want ISE assigning SGTs during authorization.
12-03-2022 02:11 AM
Now, I'm using a third part tool to assign the SGT on the cisco switch interface (access port) using the SSH connection
what tool is this, and how is your config on the switch ?
can you post the output full of what you mentioned :
show cts role-base permission
and
show authentication session int <> details
what logs you on the ISE and also if you enable debug in switch do you see anything ?
12-03-2022 12:55 PM
@SecurityJumbo Is the SGT assigned per authenticated session (user/endpoint)? Or are you pushing an interface-to-SGT/subnet-to-SGT mapping?
Why are you not using ISE to assign the SGT?
When you run show cts role-based sgt-map all do you see the IP/SGT bindings?
12-06-2022 09:59 AM
Hey,
It is assigning the SGT for the endpoint based on the ip address. I was able to find a way to verify that on the cisco switch, but I don't see anything on ISE radius logs discovering that SGT. Any idea ??
12-06-2022 10:06 AM
@SecurityJumbo if the 3rd party tool is assigning the SGT to the endpoint/user, ISE would not know about this.
You'd need ISE to assign the SGT if you wish ISE to have visibilty into the IP/SGT/User bindings.
12-06-2022 10:19 AM
Hey @Rob Ingram I was thinking the same as well. The third part tool is assigning the SGT in the cisco switch via SSH based on the endpoint ip address. The ISE will not be able to determine the SGT in the Radius Live logs even though the aaa accounting is enabled, right ??
12-06-2022 02:36 PM
That is correct, ISE will not know about the SGT assigned directly to an endpoint/switch via SSH. The SGT of an endpoint is not sent to ISE in the accounting packets.
One method of instructing ISE which IP-SGT bindings are being created on the CLI is to create an SXP speaker connection from the switch to ISE. This would result in ISE learning the IP-SGT bindings the third party tool is creating in a dynamic way via the SXP connection.
But this doesn't help a whole lot to create reporting or logs. It just gets all the ip-sgt bindings in one place, ISE won't really have an association of session "X" has sgt "X". For that reason you still want ISE assigning SGTs during authorization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide