cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
631
Views
1
Helpful
5
Replies
Cisco Employee

trustsec SXP listener for ISE

Hi,

If "Add radius mappings into SXP IP SGT mapping table" is checked on SXP setting, does it mean ISE will automatically learn all dynamic IP-SGT mappings through radius process? If yes, is there any scenarios that ISE is configured as SXP listener to learn mapping from other devices, like switch/WLC/firewall?

br,

Xin

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: trustsec SXP listener for ISE

Yes, ISE can learn mappings from SXP peers. ISE can also have static mappings and propagate them via SXP.

ISE can classify RADIUS sessions with SGT, as Nidhi mentioned, but the network devices need to be able to support SGT as a session field and can either enforce it on the network devices themselves, or propagate via SXP or in-line.

Moving this discussion to TrustSec.

5 REPLIES
Cisco Employee

Re: trustsec SXP listener for ISE

Researching !

Cisco Employee

Re: trustsec SXP listener for ISE

I also find that when there is no SXP peer avaible for ISE, SXP mapping is blank. When I add a SXP device in listener mode, some SXP mapping entries which are shown as "learned by Session" appeared. It seems that we must have a SXP device, then SXP mapping could appear, even the entries are learned by radius session, not learned by SXP peer.

So is it normal behaviour for ISE?

Cisco Employee

Re: trustsec SXP listener for ISE

Basically after an endpoint   authenticates with ISE , ISE sends SGT to the device. The switch learns the IP address of the endpoint and sends IP-SGT information to ISE via SXP.

Cisco Employee

Re: trustsec SXP listener for ISE

Hi Nidhi,

I'd like to confirm that if ISE could have IP-SGT mapping information through radius session without SXP.

Cisco Employee

Re: trustsec SXP listener for ISE

Yes, ISE can learn mappings from SXP peers. ISE can also have static mappings and propagate them via SXP.

ISE can classify RADIUS sessions with SGT, as Nidhi mentioned, but the network devices need to be able to support SGT as a session field and can either enforce it on the network devices themselves, or propagate via SXP or in-line.

Moving this discussion to TrustSec.

CreatePlease to create content
Blog-Cisco Community Designated VIP Dinner CLEUR2019