Solved: trustsec SXP listener for ISE

xili5 · ‎08-19-2017

Hi,

If "Add radius mappings into SXP IP SGT mapping table" is checked on SXP setting, does it mean ISE will automatically learn all dynamic IP-SGT mappings through radius process? If yes, is there any scenarios that ISE is configured as SXP listener to learn mapping from other devices, like switch/WLC/firewall?

br,

Xin

hslai · ‎08-21-2017

Yes, ISE can learn mappings from SXP peers. ISE can also have static mappings and propagate them via SXP.

ISE can classify RADIUS sessions with SGT, as Nidhi mentioned, but the network devices need to be able to support SGT as a session field and can either enforce it on the network devices themselves, or propagate via SXP or in-line.

Moving this discussion to TrustSec.

View solution in original post

Nidhi · ‎08-20-2017

Researching !

xili5 · ‎08-20-2017

I also find that when there is no SXP peer avaible for ISE, SXP mapping is blank. When I add a SXP device in listener mode, some SXP mapping entries which are shown as "learned by Session" appeared. It seems that we must have a SXP device, then SXP mapping could appear, even the entries are learned by radius session, not learned by SXP peer.

So is it normal behaviour for ISE?

Nidhi · ‎08-21-2017

Basically after an endpoint authenticates with ISE , ISE sends SGT to the device. The switch learns the IP address of the endpoint and sends IP-SGT information to ISE via SXP.

xili5 · ‎08-21-2017

Hi Nidhi,

I'd like to confirm that if ISE could have IP-SGT mapping information through radius session without SXP.

hslai · ‎08-21-2017

Yes, ISE can learn mappings from SXP peers. ISE can also have static mappings and propagate them via SXP.

ISE can classify RADIUS sessions with SGT, as Nidhi mentioned, but the network devices need to be able to support SGT as a session field and can either enforce it on the network devices themselves, or propagate via SXP or in-line.

Moving this discussion to TrustSec.