07-15-2021 06:19 AM
Hi Folks,
When an SGT is pushed down from ISE to a NAD via Radius as part of a device/user authorisation, will that same NAD send back some information on the IP to MAC binding based on its device tracking information? Just looking to clarify how ISE procures this information once an endpoint authorises itself.
Solved! Go to Solution.
07-15-2021 06:33 AM
Hi @GRANT3779
ISE will have learnt the IP/MAC binding information, which was collected via dhcp snooping/device tracking and sent to ISE via a radius accounting packet. This is received before ISE authorises the user/endpoint, before ISE assigns the SGT to the session and therefore before the NAD receives the SGT via CoA.
07-15-2021 06:33 AM
Hi @GRANT3779
ISE will have learnt the IP/MAC binding information, which was collected via dhcp snooping/device tracking and sent to ISE via a radius accounting packet. This is received before ISE authorises the user/endpoint, before ISE assigns the SGT to the session and therefore before the NAD receives the SGT via CoA.
07-16-2021 01:44 AM
Thanks Rob, that makes sense. Slightly veering off topic, quick one
Does ISE then automatically add those IP to SGT mappings to its "All SXP Mappings Database" after it authorises an endpoint/user or does that Database only get entries put in if the switch local to those bindings actually sends them to ISE via SXP?
Hopefully makes sense
Cheers
07-16-2021 02:03 AM
Hi @GRANT3779
Yes, ISE will create the binding and then adds to it's mapping database.
The switch (access layer switch) would not send those bindings to ISE via SXP.
Optionally, ISE would use SXP to send the bindings to another switch, such as a distribution layer switch that acts as an enforcement point, assuming inline tagging could or was not used.
The access layer switch will usually only know about the SGTs for the endpoints connected to itself.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: