If I have a TrustSec domain set up, and want to utilise IP-SGT mappings by using the "cts role-based sgt-map {ip} sgt <sgt-id-number>" commands - on what device do these commands need to get executed?
I have been researching this a lot in Cisco documentation but cannot find a clear answer. I am either referred to configuring ISE (which I don't have), or using the command (eg. http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html#wp1055308). However, no document I have found actually tells me on which device this should be executed? Can it be on any switch in the TrustSec domain? Must it be on a seed device? On the authentication server? (this is especially relevant when the access switch to which the host that I'm applying the SGT to, is not part of the TrustSec domain itself).
Any ideas what I am missing?