Solved: IP to SGT Mapping Question

edmcnich · ‎12-18-2018

I have a customer that has 802.1x to ISE configured on his Meraki MS switches. They also have SXP configured between ISE and an upstream ISR router. They would like to configure SGACLs on the ISRs using the dynamically configured SGTs assigned in ISE, and publish these SGTs to the ISR router (SXP Listerner).

I guess the question is, can ISE create dynamic IP to SGT mapping using 802.1x from Meraki (not SXP speaker, because Meraki doesn't support it), and publish to an ISR via SXP?

umahar · ‎12-18-2018

In general this is supported, havn't actually integrated with Meraki.

If ISE is the one tagging 802.1x endpoints on Meraki then this should be possible.

Be sure to enable the below setting. This should populate the IP-SGT bindings on ISE with dynamic tags for radius sessions.

View solution in original post

gbekmezi-DD · ‎12-19-2018

This should work. You assign the SGT in the authorization result and it should get added to the internal mapping in ISE, which should then get propagated to SXP clients.

View solution in original post

umahar · ‎12-18-2018

In general this is supported, havn't actually integrated with Meraki.

If ISE is the one tagging 802.1x endpoints on Meraki then this should be possible.

Be sure to enable the below setting. This should populate the IP-SGT bindings on ISE with dynamic tags for radius sessions.

gbekmezi-DD · ‎12-19-2018

This should work. You assign the SGT in the authorization result and it should get added to the internal mapping in ISE, which should then get propagated to SXP clients.