Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
2
Helpful
5
Replies

ISE Inline Posture and SGT

valrerod
Level 1
Level 1

‎09-26-2013 12:53 PM - edited ‎03-10-2019 08:56 PM

ISE Experts,

I'm doing research preparing for an SGT deployment.

We have Cisco ASA for VPN and iPEP for Posture enforecement.

The questions are:

1) Does iPEP support SGT?

2) Can I utilize SGT for VPN users?

Thanks,

Val

1 person had this problem
Labels:
0 Helpful
5 Replies 5

aqjaved
Level 3
Level 3

‎09-30-2013 09:52 AM

The Cisco  TrustSec (CTS) architecture secures networks by establishing domains of  trusted network devices. Once a network device authenticates with the  network, the communication on the links between devices in the cloud is  secured with a combination of encryption, message integrity checks, and  replay protection mechanisms.

CTS  use the user and device identification information acquired during the  authentication phase to classify packets as they enter the network. CTS  maintains classification of each packet or frame by tagging it with a  security group tag (SGT) on ingress to the network so that it can be  identified for applying security and other policy criteria along the  data path. The tags allow network intermediaries such as switches and  firewalls to enforce access control policy based on the classification.

Please  check the below links which may be helpful for you in configurations:

Link-1

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sga_pol.pdf

Gurudatt Pai
Cisco Employee
Cisco Employee

‎06-04-2014 02:21 AM

Using Ipep for SGT probably is not a use case that we've seen so far and i cant be sure if it was tested.

However with ASA 9.2 you can enforce SGT based policies on the VPN users without needing an Ipep.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117694-config-asa-00.html

Regards,

Gurudatt

ISE Escalation engineer | CCIE#28227

Cisco systems.

0 Helpful

Saurav Lodh
Level 7
Level 7

‎06-05-2014 02:26 AM

Here , in this scenario , I think the PSN would support SGT over ASA, not ipep

0 Helpful

Gurudatt Pai
Cisco Employee
Cisco Employee
In response to Saurav Lodh

‎06-09-2014 09:46 PM

Ipep would not be needed if you use the tech note i pointed too. More over ,Ipep was a solution that was needed for VPN scenarios when ASA was not capable of supporting COA. Now with 9.2 since we do and this architecture is a more elegant solution than adding another hop (provided you're in Routed mode).

0 Helpful

abwahid
Level 4
Level 4

‎06-05-2014 04:46 AM

Hi,

As we know that SGT is Cisco-proprietary tagging system.
we just need to confirm before deployment, does NAD devices support SGT ?
so with ASA 9.2 you can use SGT for VPN users.

As per my understanding iPEP is another part it would not have any issue 
with SGT enforcement policies.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents