Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Community Manager

Ask the Experts: Introduction to Cisco Trustsec Solution and Configuration (from Webcast)

This is an opportunity to learn and ask more questions about Cisco Trustsec solution. The Trustsec solution is designed to flatten the network regardless of the access method but still provide fully distributed and differentiated access control no matter whether you are coming from wired or WiFi or remote access, the Trustsec solution provides a consistent access control policy.

Ankur Bajaj is a customer support engineer from the AAA team at the Cisco Technical Assistance Center in Richardson, Texas, USA. He has 14 years of total experience. He has worked on a wide range of Cisco Security Technologies such as Cisco ASA, VPN deployments, NAC solution, ACS and ISE deployment. Ankur has CCIE # 22135 in Security.


Mrinal Jaiswal has been with Cisco since 2007 with previous experience as a software developer.  He works with AAA and Wireless Technical Assistance. Mrinal holds a CCIE in security #31389, MCSA in 2003 track, MCAD in .net, GNIIT from NIIT.



Beau Wallace is an engineer for the RTP AAA TAC team, supporting multiple solutions including ISE, TrustSec, 802.1x, ACS, NAC, etc. He attended East Carolina University and lives in Raleigh, NC. He holds CCNP, RHCSA, and Security+ Certifications



This Discussion starts Dec 16th through Dec 19th, 2014

Remember to use the rating system to let the exerts know if you have received an adequate response. 

The experts might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security community,  sub-community, AAA, Identity and NAC discussion forum shortly after the event. This event lasts through December 19, 2014. Visit this forum often to view responses to your questions and the questions of other community members.


hi i have upgraded ise from


i have upgraded ise from version 1.2 to 1.3 , and i was have solution for guest not depend on ISE in 1.2 , ise authenticate guest user only  , now i need to make all guest solution to be controlled by ise but the change that i need when guest self registered , gust username store in Active directory DB as i have WSA which authenticate against AD is it  applicable 


Where cisco ise 1.3 store

Where cisco ise 1.3 store guest ( self registered) 

Which database

And can we mak ise write in AD db ( create guest uses in AD DB in specific group 

 if guest self serivese with SMS needs Sponsor approval 

Cisco Employee

Hey Mohamed, 1.3, like 1.2,

Hey Mohamed, 1.3, like 1.2, stores guest users in it's internal database. We don't have a mechanism to write to AD via ISE, unfortunately. However, you could create a solution for this on your own via REST API queries to ISE. See our REST API guide to see if this would satisfy your requirement:




all authentication accounting

all authentication accounting send to CDA which send it to WSA , but WSA need to compare it with AD , in this case Guest user will not store in AD , so WSA will pop-up for authentication which refused by customer 

he already develop page , guest self registered and script write in AD , and ISE authenticate from AD , but he need to make ISE how control Guest life cycle 


another question   in guest self registered is it mandatory to have sponsor confirmation to send SMS to guest ? 

Cisco Employee

For Self-Registered Guest,

For Self-Registered Guest, you can configure it to automatically approve these users in the Portal Behavior tab. You can choose between SMS, Email, or both.


i understand from document

i understand from document that API can use to create guest user in ISE , and my case i need ISE to greate guest user in AD DB  

Cisco Employee

Okay, gotcha. Unfortunately

Okay, gotcha. Unfortunately ISE writing to AD isn't possible. What I meant is that you could pull data from the API, and then write a script to push the retrieved guest accounts and write them to AD via LDAP. I've not seen someone do this before, so I don't have any examples, but all the tools should be there if you can find a good LDAP module for python or another language.



Hall of Fame Guru

I just wanted to confirm my

I just wanted to confirm my understanding of traffic into and out of a Trustsec domain that is protected using Security Group Tags and ACLs (SGTs and SGACLs).

Since SGACLs are stateless, they must explicitly define traffic in both directions. So, if traffic from within a Trustsec domain needs to access external non-Trustsec protected systems (or even, say, the Internet!) we need a stateful firewall that understands SGTs and has ACLs accordingly configured - like we can do with an ASA.

In the absence of an ASA could one instead use Reflexive ACLs on the SVI interfaces corresponding to the SGT-protected subnets/VLANs on an upstream multilayer switch or router?

Cisco Employee

Hi Marvon, first, you would

Hi Marvin, first, you would want to ensure the router or switch you use has support for SG-ACLs and enforcement via:


One you know that works, you can configure SG-ACLs with a source or destination on "unknown". This keyword indicates traffic where we cannot discover what SGT should be assigned to that traffic, or in other words, outside the trustsec domain. We use a relatively common command-set on enforcement supporting platforms, take a look at the following link for command syntax:

Let me know if the unknown tag was what you were looking for!


Edits: Spelling.

Hall of Fame Guru

Thanks, Beau,Sure - I know I

Thanks, Beau,

Sure - I know I can create an outbound ACL allowing devices within the Trustsec domain to talk to "unknown". The problem is the return traffic has to be allowed in as well since those ACLs are not inherently stateful.

So if my only toolset is SG ACLs and SGTs, I basically need to open up the entire Internet as a legitimate source of traffic - effectively breaking the Trustsec domain's security model unless I have some stateful firewall at the perimeter of the domain.