08-19-2017 09:37 PM - edited 03-11-2019 12:57 AM
Hi,
If "Add radius mappings into SXP IP SGT mapping table" is checked on SXP setting, does it mean ISE will automatically learn all dynamic IP-SGT mappings through radius process? If yes, is there any scenarios that ISE is configured as SXP listener to learn mapping from other devices, like switch/WLC/firewall?
br,
Xin
Solved! Go to Solution.
08-21-2017 08:45 AM
Yes, ISE can learn mappings from SXP peers. ISE can also have static mappings and propagate them via SXP.
ISE can classify RADIUS sessions with SGT, as Nidhi mentioned, but the network devices need to be able to support SGT as a session field and can either enforce it on the network devices themselves, or propagate via SXP or in-line.
Moving this discussion to TrustSec.
08-20-2017 10:43 PM
Researching !
08-20-2017 11:40 PM
I also find that when there is no SXP peer avaible for ISE, SXP mapping is blank. When I add a SXP device in listener mode, some SXP mapping entries which are shown as "learned by Session" appeared. It seems that we must have a SXP device, then SXP mapping could appear, even the entries are learned by radius session, not learned by SXP peer.
So is it normal behaviour for ISE?
08-21-2017 12:00 AM
Basically after an endpoint authenticates with ISE , ISE sends SGT to the device. The switch learns the IP address of the endpoint and sends IP-SGT information to ISE via SXP.
08-21-2017 12:17 AM
Hi Nidhi,
I'd like to confirm that if ISE could have IP-SGT mapping information through radius session without SXP.
08-21-2017 08:45 AM
Yes, ISE can learn mappings from SXP peers. ISE can also have static mappings and propagate them via SXP.
ISE can classify RADIUS sessions with SGT, as Nidhi mentioned, but the network devices need to be able to support SGT as a session field and can either enforce it on the network devices themselves, or propagate via SXP or in-line.
Moving this discussion to TrustSec.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide