SDA closed authentication / IP-SGT mapping delivery

Michal Rzepecki · ‎07-15-2022

I want to use closed authentication on some ports in SDA environment so I've configured appropriate ISE authorization rules with SGT included. Authorization works fine but it seems EDGE switches are not aware of IP-SGT mappings. How EDGE switch could know about IP-SGT mapping when SGT is applied by ISE authorization rule?

marek.golha · ‎07-20-2022

Hello,

The IP-SGT mapping should be provided from the authorization policy from ISE. IP is provided in the form of IP pool and also ISE provides the SGT membership according the succesfull authorization.

Marek

andresfr · ‎07-23-2022

Hi Michal,

The Edge switch should be properly provisioned to the Fabric Site, it should have obtained the AAA configuration from DNAC, should be able to reach Cisco ISE, and it should show as a network device on ISE as well.

Try running the following commands for validation:

show run | sec aaa|radius
test aaa group dnac-client-radius-group <user> <password> legacy
show authentication sessions interface GiX/Y/Z detail <<<  For interfaces connecting to endpoints
show cts pacs
show cts environment-data
show cts role-based sgt-map vrf <vrf or VN name> all det <<<< This should show the IP-SGT mapping for endpoints connected locally at least if any

If you are having Group-Based Policies configured in DNAC, and clients connected to the Edge belonging to the destination SGT, then you can also run:

show cts role-based permissions
show cts role-based counters

I hope this verification helps.

Regards,