07-15-2022 01:55 AM
I want to use closed authentication on some ports in SDA environment so I've configured appropriate ISE authorization rules with SGT included. Authorization works fine but it seems EDGE switches are not aware of IP-SGT mappings. How EDGE switch could know about IP-SGT mapping when SGT is applied by ISE authorization rule?
07-20-2022 02:59 PM
Hello,
The IP-SGT mapping should be provided from the authorization policy from ISE. IP is provided in the form of IP pool and also ISE provides the SGT membership according the succesfull authorization.
Marek
07-23-2022 07:59 AM
Hi Michal,
The Edge switch should be properly provisioned to the Fabric Site, it should have obtained the AAA configuration from DNAC, should be able to reach Cisco ISE, and it should show as a network device on ISE as well.
Try running the following commands for validation:
show run | sec aaa|radius
test aaa group dnac-client-radius-group <user> <password> legacy
show authentication sessions interface GiX/Y/Z detail <<< For interfaces connecting to endpoints
show cts pacs
show cts environment-data
show cts role-based sgt-map vrf <vrf or VN name> all det <<<< This should show the IP-SGT mapping for endpoints connected locally at least if any
If you are having Group-Based Policies configured in DNAC, and clients connected to the Edge belonging to the destination SGT, then you can also run:
show cts role-based permissions
show cts role-based counters
I hope this verification helps.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide