Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
1
Helpful
2
Replies

Trustsec and Areohive Wireless.

Cory Peterson
Level 5
Level 5

‎10-14-2016 06:56 AM - edited ‎03-11-2019 12:09 AM

I have a customer who is implementing Cisco Trustsec with ISE as the authenticator. The Areohive wireless is authenticating against ISE.

The Areohive APs are plugged in to a Cisco 3650 switch, is it possible to assign a SGT to en endpoint on the wireless network and add the tag as they enter the trustsec domain?

Thank You,

-Cor

Labels:
0 Helpful
2 Replies 2

jeaves@cisco.com
Cisco Employee
Cisco Employee

‎10-14-2016 07:17 AM

Hi Cory,

interesting that the Aerohive is not listed in the ISE compatibility guide and you say you are authenticating against ISE:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

If you were indeed authenticating wireless users against ISE, (and accounting is operational in order to build a complete session in ISE), then SXP could be used on ISE to forward the IP-SGT mapping towards an enforcement point.

However, I am concerned that the AP is not compatible as I do not see it in the matrix. Therefore, what you could do is add VLAN-SGT mapping on the 3650. Each wireless SSID, mapped to a VLAN, can have SGT's assigned on the 3650 via static VLAN-SGT mapping.

Will that work for you?

Regards, Jonothan.

Cory Peterson
Level 5
Level 5
In response to jeaves@cisco.com

‎10-14-2016 07:39 AM

The Areohive is working for basic Radius Authentication and we are able to dynamically change VLANs on the Areohive using Radius attributes in ISE.

My suggestion to the client was to use multiple VLANs and VLAN-SGT mappings also, but they did not want to go that route.

So I should be able to use the AP Uplink as the enforcement point?

Will let you know how it goes.

-Cory

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents