Solved: SDA || VN and IP range not propagated to ISE

Lebowski1991 · ‎11-29-2023

Hey all!

I'm having a bit of a brain lock to be honest and I'm surprised how there is no easy way to find documentation mentioning this ( or I'm just clueless) but, I'm having an issue with VN I created and mapped an SGT to, is not propagated to ISE.

DNA 2.3.3.7
ISE 3.2 p4

VN Is created under Provision > SD-ACCESS>Virtual Networks
SGT is created under Policy > Group based access control > Security Groups
SGT Is mapped to IP Pool and VN under Provision > Fabric > Host Onboarding > Virtual networks > IP pool added and SGT assigned.

Now, this process seem to have changed over the time as previously in 1.3 releases you mapped SGT directly to VN under Policy Tab so I'm assuming I could be missing something . I don't have anything as a reference to see how this process goes but I'm assuming that when this mapping is done on DNA ( and DNA is the management for trustsec between DNAC and ISE) DNA should push this mapping to ISE.

So in Workspaces > Trustsec > Component > Security Groups when I Click on SGT It should POP up a window which will show SGT And VN and IP pool this SGT is mapped to. Perhaps even it should show under IP SGT Static Mapping page. But this is missing.

SGT's are provisioned on ISE when created however, so the integration of ISE and DNA should be fine.

Am I missing something or should this indeed be provisioned and the fact it's not means I should open a case with TAC?

Thanks in advance!

Lebowski1991 · ‎12-01-2023

Hi!

I actually found the issue.

”When Cisco DNA Center 2.3.3 or later is integrated with Cisco ISE 3.2or later, security groups are not associated with virtual networks, and the Virtual Networks field is not displayed for these releases. However, if you are using Cisco ISE3.1 or earlier, the security group and virtual network association details are displayed”

I knew It was there originally .

I actually went through this guide when I was looking for an answer but must have missed this note.

Source: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-7/user_guide/b_cisco_dna_center_ug_2_3_7/m_configure-group-based-access-control-policies-and-analytics.html

So basically now all you need to Add VN and SGT when configuring Authorization Profile and thats about it.

View solution in original post

andy!doesnt!like!uucp · ‎11-29-2023

as far as i know DNAC doesnt communicate SGT-to-IP_subnet mapping to ISE. I've heard ISE can publish SGT-to-IP_subnet mapping to PxGrid "via SXP-topic". Also ISE has calls via its API enabling caller to populate ISE;s TrustSec component "IP SGT static mapping" with target stuff. No idea why DNAC doesnt leverage it

Lebowski1991 · ‎12-01-2023

Hi!