To check for issues with the IP to SGT mapping, first check if the environment data is downloaded to the Edge switch.
show aaa servers
Run the following command to ensure that the Radius servers are in the UP state.
show cts pacs
Run the following command to confirm that the PAC-type should be "Cisco Trustsec".
show cts environment-data
Under the security Group Name Table, and confirm that all the SGTs created in ISE is downloaded.
Possible causes and solutions
- The issue could be caused because ISE is not reachable from the Edge node. Ping ISE from Edge, to make sure that the connection has not been lost.
- Another cause is that ISE details may not be added at a global level in the Cisco DNA Center Design page.
Recommended Actions
Assurance should execute the commands listed above, and look for the relevant fields. If the output is not as expected, then a flag should be raised for Edge.