Solved: Trustsec and SXP

basilecns · ‎07-05-2016

Hi everybody,

I'm trying to fully understand the trustsec technology and things are getting confusing... so I'm asking for a bit of help :)

Don't hesitate to correct me if I'm wrong (that's the goal indeed).

I have the following architecture to implement :

ISE / AD (classification)
ASA (enforcement)
SGT capable switches
WLC (non-SGT capable)

From what I understood, ISE is doing the authentication first (classification) and returns the SGT tag to switches. That permits the switches to tag ingress properly (propagation) before coming to enforcement (which will be done by ASA firewall).

But what I don't understand is how the WLC is getting tags from ISE? It's not SGT capable, so it will work with SXP peering as a speaker. So it can only send mapping tables right (ip to sgt)? How can it map anything if it cannot receive tags from ISE authentication (saying user A is in SGT "employee" for example)? It has to be only static mapping on WLC (then yes ok, but trustsec starts getting useless...)?

I'm really confused, so I guess I misunderstood the principle of trustsec...

Thanks a lot for reading and if you can help,

Best regards,

Basile

michaellperrin · ‎07-05-2016

When a wireless client connects to the network as part of the auth policy it was also provide the SGT. The WLC as the SXP speaker will forward the IP-SGT mapping to the SXP listener. the listener inserts the SGT into the packet on behalf of the WLC.

I hope that makes sense. It is confusing :)

View solution in original post

michaellperrin · ‎07-05-2016

When a wireless client connects to the network as part of the auth policy it was also provide the SGT. The WLC as the SXP speaker will forward the IP-SGT mapping to the SXP listener. the listener inserts the SGT into the packet on behalf of the WLC.

I hope that makes sense. It is confusing :)

basilecns · ‎07-05-2016

Yes it makes more sense to me now! :)

Thank you!