Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
5
Helpful
2
Replies

Trustsec and PSN failure

Go to solution
AntonioMacia
Level 1
Level 1

‎02-13-2023 10:57 PM

Hi,

We are considering the use of a SGT to port map on every access switchport to enforce the traffic of the non-authenticated devices.  Once the device is authenticated it will get a dynamic SGT that will override the static mapping. The question is, how can we allow the traffic in the worst scenario when the PSNs are down. Before Trustsec we have the the concept of critical VLAN. Is there a similar "critical SGT" in TrustSec?

Regards.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-14-2023 02:12 AM

@AntonioMacia yes there is a "Critical SGT", you can use IBNS 2.0 to assign a critical SGT when the AAA server is down.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

You can create a local SGACL to reference that critical SGT. An SGACL learned from ISE would have priority over a local SGACL, so the local SGACL would only apply when ISE is down. - https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/215516-trustsec-whitelist-model-with-sda.html#anc18

The guide above is for a DNAC SDA deployment, but no reason why you cannot manually create everything locally if not in an SDA environment.

 

 

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎02-14-2023 02:12 AM

@AntonioMacia yes there is a "Critical SGT", you can use IBNS 2.0 to assign a critical SGT when the AAA server is down.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

You can create a local SGACL to reference that critical SGT. An SGACL learned from ISE would have priority over a local SGACL, so the local SGACL would only apply when ISE is down. - https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/215516-trustsec-whitelist-model-with-sda.html#anc18

The guide above is for a DNAC SDA deployment, but no reason why you cannot manually create everything locally if not in an SDA environment.

 

 

Go to solution
AntonioMacia
Level 1
Level 1
In response to Rob Ingram

‎02-20-2023 03:29 AM

Thank you Rob. 

That was the information I was looking for.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents