In Cisco IOS XE Amsterdam 17.1.1 and later releases, Cisco TrustSec uses the REST-based transport protocol for policy provisioning
and environment data download from Cisco Identity Services Engine (ISE). The REST-based protocol is more secure, and provides
reliable, and faster Security Group access control list (SGACL) policy and environment data provisioning, than the RADIUS
protocol that is used in previous releases.
Both the REST API-based and RADIUS-based download of Cisco TrustSec data is supported. However, only one protocol can be active
on a device. In Cisco IOS XE Amsterdam 17.1.1, REST-based protocol is the default. However, you can change the protocol to
RADIUS by configuring the cts authorization list command.
Cisco TrustSec Change of Authorization (CoA) will still use RADIUS as the protocol.
Cisco TrustSec Security Group Access Control List (SGACL) and environment data are synchronized from the active device to
the standby device, after the policy is installed. However, REST API connections or sessions are not synchronized during a
In Cisco IOS XE Amsterdam 17.1.1, only one IPv4 address per server is supported. In Cisco IOS XE Amsterdam 17.2.1 and later
releases, 8 IPv4 and 8 IPv6 addresses per server are supported.
In Cisco IOS XE Amsterdam 17.2.1, the Cisco TrustSec device will honor the 429 response code from Cisco ISE. This response
code is sent by Cisco ISE, when it is overloaded. Once a 429 response code is received for a particular server, the device
marks the server as dead, and switches to the next server in the list (private or public). The next retry attempt is done
after 60 seconds.