Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
5
Helpful
6
Replies

Using Trustsec with Third party NAC solution

Go to solution
carl.townshend
Level 1
Level 1

‎11-25-2022 02:29 AM

Hi Guys

Would it be possible to do segmentation by using Trustsec SGT with a third party NAC solution such as Forescout?

Would we need anything else?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-13-2022 04:47 PM

Anyone may assign an SGT in a RADIUS session - it's just a RADIUS Vendor-Specific Attribute (VSA) from Cisco that any vendor may implement in a RADIUS authorization response. That's the beauty of standard protocols like RADIUS.

But how does your network device(s) know about your SGTs and SGACLs in the first place???

The hard part is going to be initial and ongoing updates of the TrustSec Matrix with all of the SGTs and SGACLs to your network devices.  That would be a very tedious process to manually update all of those across all of your network devices without ISE. This is the special sauce with ISE. 

See our recent ISE Webinar: 

Group-Based Segmentation Basics
Speaker: Jonathan Eaves, Technical Marketing Engineer
22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎11-25-2022 02:43 AM

@carl.townshend yes SGTs can be applied using Forescout - https://docs.forescout.com/bundle/CounterACT_Administration_Guide_8.0.1/resource/CounterACT_Administration_Guide_8.0.1.pdf

Forescout configuration would be better discussed in the forescout forums.

Go to solution
ammahend
VIP
VIP
In response to Rob Ingram

‎11-25-2022 02:52 AM

Thanks Rob I wasn’t aware of this, Would you recommend deploying trustsec with forecout tho ? 

-hope this helps-
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ammahend

‎11-25-2022 02:58 AM

@ammahend no, I wouldn't personally recommend deploying trustsec without ISE. A third party vendor is likely to not fully support all the features and support might be an issue.

0 Helpful

Go to solution
ammahend
VIP
VIP
In response to Rob Ingram

‎11-25-2022 03:08 AM

Also briefly going through the forescout document they talk about assigning sgt as part of authorization, but there is no mention of enforcement based on sgt or some sort of policy matrix.

-hope this helps-
0 Helpful

Go to solution
ammahend
VIP
VIP

‎11-25-2022 02:46 AM - edited ‎11-25-2022 02:53 AM

Don’t think so, at least I haven’t deployed it, you will need ISE with advantage license and network infrastructure should be comparable with trust-sec compatibility matrix below.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/policy-platform-capability-matrix.pdf

additionally getting DNA center appliance would be a good idea as central point of management, automation and enforcement and policy creation for trustsec. 

-hope this helps-
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-13-2022 04:47 PM

Anyone may assign an SGT in a RADIUS session - it's just a RADIUS Vendor-Specific Attribute (VSA) from Cisco that any vendor may implement in a RADIUS authorization response. That's the beauty of standard protocols like RADIUS.

But how does your network device(s) know about your SGTs and SGACLs in the first place???

The hard part is going to be initial and ongoing updates of the TrustSec Matrix with all of the SGTs and SGACLs to your network devices.  That would be a very tedious process to manually update all of those across all of your network devices without ISE. This is the special sauce with ISE. 

See our recent ISE Webinar: 

Group-Based Segmentation Basics
Speaker: Jonathan Eaves, Technical Marketing Engineer
22:58 Dynamic Group Policy Download from ISE for Enforcement at Egress
26:03 Enforcement Demo

0 Helpful
Customers Also Viewed These Support Documents