ISE SGT and Custom SGT Rule Conditions
You can use SGTs for access control by either configuring ISE as an identity source (ISE SGT) or creating custom SGT objects (custom SGT). The system handles ISE SGT and custom SGT rule conditions differently:
ISE SGT: ISE connection configured
You can use ISE SGTs as ISE attribute conditions in access control rules. When you choose Security Group Tag from the Available Attributes list in the SGT/ISE Attributes tab, the system populates the Available Metadata list by querying ISE for available tags. The presence or absence of an SGT attribute in a packet determines the system's response:
-
If an SGT attribute is present in the packet, the system extracts that value and compares it to ISE SGT conditions in access control rules.
-
If the SGT attribute is absent from the packet, the system determines whether the SGT associated with the packet’s source IP address is known in ISE and compares the SGT to the ISE SGT conditions in access control rules.
Custom SGT: No ISE connection configured
You can create custom SGT objects and use them as conditions in access control rules. When you choose Security Group Tag from the Available Attributes list in the SGT/ISE Attributes tab, the system populates the Available Metadata list with any SGT objects you have added. The presence or absence of an SGT attribute in a packet determines the system's response:
-
If an SGT attribute is present in the packet, the system extracts that value and compares it to custom SGT conditions in access control rules.
-
If the SGT attribute is absent from the packet, the system does not match the packet to custom SGT conditions in access control rules.