10-14-2016 06:56 AM - edited 03-11-2019 12:09 AM
I have a customer who is implementing Cisco Trustsec with ISE as the authenticator. The Areohive wireless is authenticating against ISE.
The Areohive APs are plugged in to a Cisco 3650 switch, is it possible to assign a SGT to en endpoint on the wireless network and add the tag as they enter the trustsec domain?
Thank You,
-Cor
10-14-2016 07:17 AM
Hi Cory,
interesting that the Aerohive is not listed in the ISE compatibility guide and you say you are authenticating against ISE:
If you were indeed authenticating wireless users against ISE, (and accounting is operational in order to build a complete session in ISE), then SXP could be used on ISE to forward the IP-SGT mapping towards an enforcement point.
However, I am concerned that the AP is not compatible as I do not see it in the matrix. Therefore, what you could do is add VLAN-SGT mapping on the 3650. Each wireless SSID, mapped to a VLAN, can have SGT's assigned on the 3650 via static VLAN-SGT mapping.
Will that work for you?
Regards, Jonothan.
10-14-2016 07:39 AM
The Areohive is working for basic Radius Authentication and we are able to dynamically change VLANs on the Areohive using Radius attributes in ISE.
My suggestion to the client was to use multiple VLANs and VLAN-SGT mappings also, but they did not want to go that route.
So I should be able to use the AP Uplink as the enforcement point?
Will let you know how it goes.
-Cory
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide