Re: SGT Tagging Policy for Single User

saxenanitesh8522 · ‎05-20-2022

Hi Guys,

i need a solution, we are running cisco ise in our infra along with Cisco FMC as well.

Now we are planning to have pxgrid integration with Cisco FMC.

Now a request has come that SGT tags in the Cisco ise will be based on the AD groups and we on boarding on that way.

is there any way we have a policy for Single user in the SGT tag if he needs to have a different access than compared to other users.

need any feedback for the same

Rob Ingram · ‎05-20-2022

@saxenanitesh8522 Yes, authenticate and authorise the user based on the AD group membership of that user (or just the username) and then assign the SGT.

This SGT will be sent to the FMC via pxGrid, you can then create rules in the ACP based on that source SGT.

saxenanitesh8522 · ‎05-20-2022

i have group called and ISE policy --> IT_USERS --> ITUSERS(SGT)

UserA, UserB, & UserC --> IT_USERS --> they all the assigned ITUSERS (SGT TAG)

now i just need to give UserC a different access rule than other users.

in that case we need to have one ISE policy to do the necessary work right.

Rob Ingram · ‎05-20-2022

@saxenanitesh8522 fine, create a new ISE authorisation rule matching on the username "UserC", place this rule above the rule that matches on the AD group.

saxenanitesh8522 · ‎05-20-2022

@Rob Ingram --> this i know, i agree but i get challenged in a way saying doing a direct fmc integration with AD or LDAP i can achieve this and we have to, to make configuration in cisco ise then go fmc do a new rule for this kind of configuration.

is there no other way possible?