Secure Group Tag-based Access Control

User Access Control through SGACL

Table 1. Feature History
Feature Name

Release Information

Description

User Access Control through Secure Group Tag-based Access Control List (SGACL)

 2024.03.0

UPF supports Cisco ISE integration for SGACL enforcement on the downlink packets. SGACL is an Access Control List (ACL) that controls and manages the authorization of the security group members.

UPF fetches the SGACL matrix from ISE through an API query based on the Destination SGT (D-SGT). The D-SGT is received over the Sx or N4 interface from SMF. Then, UPF applies the SGACLs based on the D-SGT and Source SGT (S-SGT) mapping on the downlink packets. Hence, the policy enforcement from Cisco ISE is enabled.

Default Setting: Disabled – Configuration Required to Enable

Security Group Tag (SGT) for Cisco Identity Service Engine (ISE) Integration on UPF

 2023.03

UPF supports ISE integration for handling the SGT received from SMF. The SMF receives the SGT from the RADIUS server. Then, the SMF sends the SGT over the Sx or N4 interface to UPF during Session Establishment Request.

The creation of SGT is according to the static policy on Cisco ISE or SMF and the UPF requires inserting the SGT into the Cisco Meta Data (CMD) header on uplink packets.

Default Setting: Not Applicable

The Security Group Tag (SGT), also referred to as the Scalable Group Tag, specifies the privileges of a traffic source within a trusted network. Security Group Access automatically generates SGT when you add a security group in TrustSec or ISE. Cisco ISE, as a centralized policy engine, provides a unified policy management experience for the other Cisco packet core elements.

The S-SGT is a 16-bit value that is transmitted in the Cisco Meta Data (CMD) field of a Layer 2 Ethernet Frame. The CMD header is inserted after the ".1Q" tag, if available. If the ".1Q" tag is unavailable, the CMD immediately follows the MAC Source Address.

To support SGT for ISE integration:

  • SMF receives the D-SGT from the ISE server.

  • SMF updates the D-SGT towards the UPF using the N4 extensions.

  • UPF identifies the packets and applies the D-SGT and S-SGT combination to N6 DL packets.

Security Group Tag-based Access Control List (SGACL) is an Access Control List (ACL) that controls and manages the authorization of the security group members. SGACLs create SGACL policies, which are represented through a Security Group Tag matrix (SGT matrix).

The SGT matrix, also referred to as the permissions matrix, represents the SGACL policies in the TrustSec domain. This matrix comprises the security group numbers and destination security group numbers, and describes how the two endpoints communicate. The applicable policies are Permit and Deny. The contents of an SGT matrix and the SGACLs are downloaded from the ISE server using the REST API.

UPF inserts the D-SGT value for the outgoing uplink packets sent over the N6 interface. UPF receives the S-SGT value for the downlink packets over the N6 interface. This S-SGT value is used for the matrix lookup and is removed while sending the outgoing downlink packets over the N3 interface.

Based on the mapping between the Destination SGT (D-SGT) and Source SGT (S-SGT), the policies are enforced at UPF and an appropriate SGACL is enforced on the downlink packets.

UPF supports ISE integration for SGACL enforcement for the downlink packets through the following SGT values:

  • Destination SGT (D-SGT)—UPF receives this value per subscriber session over the N4 interface from SMF in the Session Establishment Request. SMF receives the D-SGT from ISE in the RADIUS Access Accept message. For this feature, the SMF must send the SGT to UPF in a proprietary IE on the N4 interface.

  • Source SGT (S-SGT)—Is received in the CMD header of a downlink packet. A wireless LAN controller (WLC) or an access switch inserts this value.


Note

  • SMF receives the D-SGT from ISE in the Access Accept message. For this feature, the SMF must send the SGT to UPF in a proprietary IE on the N4 interface.

  • When you enable the user access control through SGACL and a subscriber session receives a D-SGT, then the SGACL is applied to the downlink packets. In this case, the APN ACL isn’t applicable to these subscriber sessions.

  • When you don’t enable the user access control through SGACL or the UPF doesn't receive the D-SGT during the N4 Session Establishment Request, then the APN ACL is applicable as per the existing configuration.

You can define the ISE server profile through the ise-server-profile profile_name CLI command and associate the ISE server profile within a UPF service through the associate ise-server-profile name server_profile_name CLI command.

How SGACL for ISE Integration Works

This section describes how SGACL for ISE integration works.

  • SMF fetches the corresponding SGT value from ISE over RADIUS and sent on N4 interface to the UPF.

  • Each UPF is registered as a Network Access Device (NAD) in ISE server.

  • UPF downloads the SGT Matrix and corresponding SGACLs from ISE server using the REST API. UPF applies the SGACL for flow based on the D-SGT to S-SGT mapping.

  • A non-real time update is available through periodic or trigger-based pull from UPF.

  • The D-SGT value needs to be checkpointed for session recovery and ICSR-based recovery.

Call Flow

The following figure illustrates the SGT fetch and SGACL enforcement call flow.

Step

Description

1

SMF sends N4 Session Establishment Request to UPF. As part of this request, the UPF receives the D-SGT value from SMF.

2

UPF sends N4 Session Establishment Response to SMF.

3

For the first session of a specific D-SGT, UPF sends the REST API Request to the ISE server to fetch the D-SGT column values.

4

ISE sends the REST API Response to UPF. This response includes the mapped S-SGT values for the D-SGT and the SGACL matrix information containing the SGACL names along with the refresh timer.

The SGT matrix cell entries and SGACLs are stored on UPF. Each D-SGT column has a refresh timer that is configured in ISE.

5

UPF sends the REST API Request to the ISE server to fetch the required SGACLs.

ISE sends the REST API Response to UPF with the SGACL definitions.

6

N3 sends the uplink (UL) data to UPF.

7

UPF adds D-SGT in Ethernet header and sends the UL data to the N6 interface.

8

N6 sends the downlink (DL) data to the N3 interface.

9

The UPF checks the D-SGT and S-SGT mapping and applies the SGACLs.

10

UPF forwards the DL data, with no SGT, to the N3 interface.

Limitations

This feature has the following known limitations:

  • The PFCP Session Establishment Request must send the D-SGT value over the N4 interface. The D-SGT cannot be changed, but S-SGT can change.

  • As the ACLs can be stacked for a specific SGT-Pair combination, the SGACLs are applied as per the order of ACLs received for a specific SGT-Pair.

  • The maximum number of recommended matrix combinations is 150 D-SGT Columns * 150 S-SGT rows, with 255 distinct SGACLs, including the default SGACL.

  • The maximum number of SGACLs in a single cell is limited to 16.

  • UPF can store only one default SGACL at a time. Hence, when the Default SGACL changes, only the updated SGACLs information is stored on UPF.

Secondary ISE server integration on UPF

Table 2. Feature History

Feature name

Release information

Description

Secondary ISE server support on UPF

 2025.03.0

This feature allows the network operator to integrate a secondary ISE server on UPF.

The secondary ISE server integration provides a failure mechanism to ensure seamless enforcement of SGACLs when the primary ISE server goes down.

Commands enhanced:

  • [ secondary-server { ipv4_address ipv4_address | ipv6-address ipv6_address } ] : This CLI configures the secondary server IP address.

  • [ secondary username user_name password password ] : This CLI configures the secondary username and password.

  • [ secondary-certificate certificate_path ] : This CLI configures the secondary certificate path.

  • [ secondary-ca-certificate ca_certificate_path ] : This CLI configures the secondary CA certificate.

  • [ secondary-key key_path ] : This CLI configures the secondary key path.

Commands introduced:

  • max-retransmissions max_retrans_count : This CLI configures the maximum number of retries.

  • retransmission-timeout timeout_duration : This CLI configures the retransmission timeout.

  • backoff-period backoff_duration : This CLI configures the Backoff period.

Default Settings: Disabled—Configuration to Enable

The ISE server is responsible for enforcing policies on UPF. However, at times, the UPF fails to update or refresh the policy due to a service failure on the ISE server, a failure in reaching the ISE server, or ISE server being down.

Integrating a secondary ISE server allows the UPF to maintain the operational state of the policies and ensure seamless policy enforcement.

How secondary ISE server integration works

Workflow

These stages outline the process of secondary ISE server support on UPF:

  1. UPF marks the primary ISE server as "Active". The active primary ISE server receives all the REST API requests.

  2. When the UPF tries to connect with the primary ISE server, however, when the primary ISE server fails to respond, the UPF tries to reconnect as per the configured number of retransmissions and the retransmission timeout.

  3. UPF marks the current "Active" server as "Inactive", if the reconnect attempts fail. UPF then marks the secondary ISE server as "Active" as per the configuration. To configure the secondary ISE server, see the Configure ISE Server profile section.

    The network operator can select the active ISE server manually using a CLI.

    For more details on the manual configuration, see the Manual switching to active ISE server section.

  4. The currently marked "Active" starts receiving the same REST API requests.

  5. UPF applies the default policy or policy unavailable treatment, when it is yet to receive the policies from the ISE server.

  6. UPF ensures that the secondary ISE server is not marked "Inactive" recently, before marking a server as "Active". It prevents UPF from a looping issue when both servers are unreachable.

    After detecting failure at the Primary ISE server, if the UPF also detects failure at the Secondary ISE server, or vice versa, the UPF should not retry again to the alternative server. This prevents UPF from trying to reach the ISE servers in a loop.

    UPF controls this behavior using the configured Backoff period.

Backoff period

While switching from the primary to the secondary ISE server, or vice versa, the UPF gets into a loop, when both the servers are unreachable. To avoid this, the Backoff period is used as a waiting period before UPF tries to connect with the primary or the secondary ISE server.

The Backoff period prevents excessive network traffic and resource usage caused by continuous retry attempts.

The backoff-period is configurable under the ISE server profile.

Limitations of secondary ISE server integration

These are the known limitations of secondary ISE server integration on UPF:

  • ISE server failure is detected only on the next REST API call.

  • There is no active monitoring for the health of the primary or secondary ISE server.

  • For REST APIs during failover, added latency includes failure detection time (based on retransmission attempts) and connection or reply time from the active ISE server.

  • The authentication failures are not expected to trigger a switchover to the secondary ISE server.

  • The database synchronization for SGT or SGACLs between primary and secondary ISE servers is assumed, as a switchover can occur between related REST APIs.

  • UPF is not responsible for detecting any database version mismatch between the peer servers.

  • The periodic or CLI-triggered refresh happens with the current active server, assuming that it is in-sync with the earlier fetched policies.

  • UPF will not re-learn existing SGACLs or policies, once the switchover to the active ISE server happens.

    The re-learning adds latency and thus impacts the throughput, since all the flows need to be on-boarded.

SGACL Configuration for ISE Integration

This section describes the procedures to configure SGACL for ISE integration.

Enable API Manager

API manager is a facility that enables API request and response integration through REST APIs.

Note

Enabling the API manager is a prerequisite for SGACL integration.

Procedure

Step 1

Log in to the configuration mode.

Step 2

Enter the require apimgr command.

Example:

config
   require apimgr
end

This CLI command is part of the boot configuration to spawn the new procedure.

What to do next

  1. Configure ISE Server profile

  2. Associate ISE Server Profile

Configure ISE Server profile

These steps help you configure the ISE server profile.

Before you begin

Before configuring the ISE server profile, you must enable the API manager. To know more about configuring the API manager, see the Enable API manager section.

Procedure

SUMMARY STEPS

  1. Use the CLI [ no ] ise-server-profile profile_name to create an instance of the ISE server profile under the Context EPC mode.
  2. Use the CLI bind { ipv4-address ipv4_address | ipv6-address ipv6_address} to specify the bind IPv4 or IPv6 address.
  3. Use the CLI server { ipv4-address ipv4_address | ipv6-address ipv6_address } [ secondary-server { ipv4-address ipv4_address | ipv6-address ipv6_address } ] to configure primary ISE server and secondary ISE server.
  4. Use the CLI username user_name encrypted | password password [ secondary username user_name password password ] to configure the username and password for the primary ISE server and secondary ISE server.
  5. Configure the certificate, CA certificate, and key for the primary and secondary ISE servers.
  6. Use the CLI policy-unavailable-treatment [ drop | pass ] to specify the traffic treatment when the SGACL matrix is unavailable for a particular D-SGT.
  7. Configure maximum retransmissions, retransmission timeout, and backoff period.

DETAILED STEPS

Step 1

Use the CLI [ no ] ise-server-profile profile_name to create an instance of the ISE server profile under the Context EPC mode.

Example:

[local]UPF1(config)# context EPC
[local]UPF1(config-ctx)# ise-server-profile ise_1 
[local]UPF1(config-ctx)#

Step 2

Use the CLI bind { ipv4-address ipv4_address | ipv6-address ipv6_address} to specify the bind IPv4 or IPv6 address.

Example:

[local]UPF1(config-ctx)# bind ipv4-address 192.0.2.1 
[local]UPF1(config-ctx)#

Step 3

Use the CLI server { ipv4-address ipv4_address | ipv6-address ipv6_address } [ secondary-server { ipv4-address ipv4_address | ipv6-address ipv6_address } ] to configure primary ISE server and secondary ISE server.

Example:

[local]UPF1(config-ctx)# server ipv4-address 192.0.2.254  secondary-server ipv4-address 198.51.100.1

Step 4

Use the CLI username user_name encrypted | password password [ secondary username user_name password password ] to configure the username and password for the primary ISE server and secondary ISE server.

Example:

[local]UPF1(config-ctx)# username ise1 password cisco1
cisco2 secondary username ise2 password  cisco2  
[local]UPF1(config-ctx)#

Note

 

In the show configuration output, the password will be displayed in the encrypted format.

Step 5

Configure the certificate, CA certificate, and key for the primary and secondary ISE servers.

  1. Use the CLIs certificate certificate_path [ secondary-certificate certificate_path ] to configure the certificate.

    Example:

    [local]UPF1(config-ctx)# certificate /root/certificate/client/client.cert.pem 
secondary-certificate /root/certificate/client/client2.cert.pem 
[local]UPF1(config-ctx)#

  2. Use the CLIs ca-certificate ca_certificate_path and [ secondary-ca-certificate ca_certificate_path ] to configure the CA certificate.

    Example:

    [local]UPF1(config-ctx)# ca-certificate /root/certificate/ca.cert.pem 
secondary-ca-certificate /root/certificate/ca.cert2.pem 
[local]UPF1(config-ctx)#

  3. Use the CLIs key key_path [ secondary-key key_path ] to configure keys.

    Example:

    [local]UPF1(config-ctx)# key /root/certificate/client/client.key.pem 
secondary-key /root/certificate/client/client2.key.pem 
[local]UPF1(config-ctx)#

Step 6

Use the CLI policy-unavailable-treatment [ drop | pass ] to specify the traffic treatment when the SGACL matrix is unavailable for a particular D-SGT.

Example:

[local]UPF1(config-ctx)# policy-unavailable-treatment drop 
[local]UPF1(config-ctx)#

Step 7

Configure maximum retransmissions, retransmission timeout, and backoff period.

  1. Use the CLI max-retransmissions max_retrans_count to configure maximum retransmissions when a server is unresponsive.

    Example:

    [local]UPF1(config-ctx)# max-retransmissions 6  
[local]UPF1(config-ctx)#

    The CLI max-retransmissions max_retrans_count configures the maximum number of retries from 0 to 15. The default value is 3.

  2. Use the CLIs retransmission-timeout timeout_duration to configure retransmission timeout.

    Example:

    [local]UPF1(config-ctx)# retransmission-timeout 4000  
[local]UPF1(config-ctx)#

    The retransmission-timeout timeout_duration configures the timeout duration before retransmitting the request to ISE server from 1 to 300 seconds. The default value is 3 seconds.

  3. Use the CLI backoff-period backoff_duration to configure the Backoff-period. Save and exit from the current configuration mode.

    Example:

    [local]UPF1(config-ctx)# backoff-period 400  
[local]UPF1(config-ctx)# exit

    The CLI backoff-period backoff_duration configures the duration during which, the retries to the ISE server are held back. The default value is 200 seconds.

What to do next

After configuring the ISE server profile, you must associate it with an existing user plane service. For more details, see the Associate ISE server profile section.

Manually switch to active ISE server

These steps allow you to manually switch to the currently active ISE server:

Before you begin

Before manually switching to the currently active ISE server, configure the Secondary ISE server under the ISE server profile. See Configure ISE Server profile section.

Procedure

SUMMARY STEPS

  1. Execute the CLI select ise-server { primary | secondary} in the Execution mode to manually switch to the active ISE server.

DETAILED STEPS

Execute the CLI select ise-server { primary | secondary} in the Execution mode to manually switch to the active ISE server.

Example:

[local]laas-si-setup# select ise-server secondary

  • Post manual switching, if the UPF receives any outstanding REST API responses from the old active ISE server, UPF processes them.

  • All the pending retries go to the ISE server, which received the retry requests.

  • The command select is a hidden keyword.

Associate ISE Server Profile

Once defined, associate the ISE server profile with an existing UPF service configuration.

Before you begin

Configure ISE server profile

Procedure

Step 1

Enter the User Plane Service configuration mode.

Step 2

Associate the defined ISE server profile with an existing UPF service configuration.

Example:

user-plane-service UPlane1
      associate ise-server-profile name ise_1
  #exit

Refresh D-SGT Column

Each D-SGT column has a refresh timer that is configured in ISE. Based on the refresh timer configuration or through the UPF CLI trigger, the D-SGT column value is fetched from the ISE server again through the REST API query. Based on the API response from ISE, if the version of SGT matrix or SGACL is changed, UPF updates the respective matrix cell or SGACL information locally. The corresponding SGACLs are downloaded after the refresh, as required.

Before you begin

  1. Configure ISE Server profile

  2. Associate ISE Server profile

Procedure

Step 1

Enter the Exec Mode.

Step 2

Enter the refresh-sgt-column d_sgt command to trigger the refresh of a D-SGT column by fetching the column values from the ISE server.

Example:

refresh-sgt-column d-sgt

Note

 

Although the CLI returns immediately, the policy download in the background takes some time and hence the refresh completion may also take some time.

The following is an example output of the refresh-sgt-column d_sgt CLI command where the d_sgt value is configured as 65535 .
refresh-sgt-column 65535

Monitoring and Troubleshooting

Verify SGACL with SGT Integration

This section provides information about show commands and their outputs for the SGACL with SGT Integration feature.

show subscribers user-plane-only full callid callid_value

The output of this CLI command is enhanced with the SGT Value field for displaying information related to D-SGT for ISE integration on UPF and SGACL match stats field for displaying information related to User Access Control through SGACL. 

show subscribers user-plane-only full callid 00004e3a
   Local SEID      : [0x0004000000000003] 1125899906842627
  Remote SEID     : [0x00000436b7616206] 4633051357702
  State           : Connected

....

  input pkts: 20                                  output pkts: 16          
  input bytes: 9246                               output bytes: 11248       
  input bytes dropped: 0                          output bytes dropped: 5624      
  input pkts dropped: 0                           output pkts dropped: 8        

....
  
  SGT Value: 0x001a

....

QoS-Group Statistics:
QGR Name             Pkts-Down  Bytes-Down Pkts-Up    Bytes-Up   Hits       Match-Bypassed  FP-Down(Pkts/Bytes)  FP-Up(Pkts/Bytes)
-------------------- ---------- ---------- ---------- ---------- ---------- --------------  -------------------  -----------------

SGACL Match stats:
ACL Name             Pkts-Down  Bytes-Down Pkts-Up    Bytes-Up   Pkts dropped
-------------------- ---------- ---------- ---------- ---------- -------------
ACL2611                       4       1432          0          0             2
ACL2612                       4       4112          0          0             2
ACL2621                       8       5704          0          0             4
....

Total subscribers matching specified criteria: 1

show subscribers user-plane-only callid callid_value flows full

The output of this CLI command is enhanced with the Uplink SGT , Downlink SGT , and Matched SGACL fields for displaying information related to User Access Control through SGACL. 

show subscribers user-plane-only callid 00004e21 flows full
  Callid: 00004e21
  Interface Type: Sxab
  IP address: n/a

  Flow ID: 1:1
  Uplink pkts: 1                    Downlink pkts: 1
  Uplink bytes: 1040                Downlink bytes: 40
…
  Downlink Sfp Id: NA
  Uplink SGT: 0xA1
  Downlink SGT: 0xB5
  Matched SGACL: ACL_123

show user-plane-service sgt-column summary

The output of this CLI command shows the summary of all the available D-SGT values on UPF along with their refresh timers as received from the ISE server.

The following example output shows the D-SGT values of D-SGT Columns fetched and D-SGT Version fields. 

show user-plane-service sgt-column summary
 D-SGT Columns fetched:
 D-SGT      Version
 ---------------------------------------
 65535         0
   7           0
 Total D-SGT column(s) found: 2

show user-plane-service sgt-column dsgt

The output of this CLI command shows the summary of the SGACL matrix per D-SGT with the respective SGACL mapping per D-SGT and S-SGT, which are received from ISE during the D-SGT query.

The following example output shows the D-SGT , Refresh Time S-SGT , SGACL Name , Version , and Total SGT column(s) found fields. 

show user-plane-service sgt-column dsgt 26

    D-SGT: 26            Refresh Time: 86400
    S-SGT: 1
    SGACL Name           Version 
    --------------------------------------- 
    ACL2611                               0 
    ACL2612                               0 

    S-SGT: 2
    SGACL Name                      Version 
    --------------------------------------- 
    ACL2621                               0 

  Total SGT column(s) found: 1

show user-plane-service sgacl name

The output of this CLI command shows the specific SGACLs definition rule lines as received from ISE during the SGACL query.

show user-plane-service sgacl name AACL2
 SGACL Name: AACL2
 permit ip
 Total SGACL(s) found: 1

show user-plane-service statistics sgacl all

The output of this CLI command shows the packet match statistics as per SGACL.

show user-plane-service statistics sgacl all

ACL Name             Pkts-Down  Bytes-Down Pkts-Up    Bytes-Up   Pkts dropped
-------------------- ---------- ---------- ---------- ---------- -------------
SGACL1-REFRESH2         6           1156       0         0          2
SGACL1-REFRESH1        13           9344       0         0          6
Allow All               0              0       0         0          0

Total SGACL(s) : 3

show user-plane-service statistics drop-counter

The output of this CLI command is enhanced to shows the dropped packets due to the SGACL application.

show user-plane-service statistics drop-counter
Packet Drop Data Statistics:
        -----------------------------------------------
...
        FastPath Misc Drops:
            Overload Protection:                    0
            Invalid Client:                         0
            Stream ID 0:                            0
            Invalid Stream ID:                      0
        OHR Mismatch Packet Drops:                  0
       SGACL Packet Drops:                       8
        SGACL No Policy Packet Drops:               2
        No Default SGT cell Packet Drops:           0

Note

  • No Default SGT cell Packet Drops is an obsolete counter. The existing design allows packets to be passed only if no default ACL is available.

  • The statistics for ISE server REST API request and response are supported.

show apimgr statistics ise-server

The show apimgr statistics ise-server displays the status for ISE servers statistics. 

[local]qvpc-si# show apimgr statistics ise-server

Ise-Server Connection Statistics:

Server: 10.10.10.30       		  Current state: Active
Last Inactive Time:          0000:00:00:00:00:00
Request sent:                          5
Response Success:                      4
Response Fail:                         1

Server: 10.10.10.40       		  Current state: Inactive
Last Inactive Time:            2025:01:16:12:30:11
Request sent:                          0
Response Success:                      0
Response Fail:                         0

SNMP trap

The trap ISEServerSwitchoverOccured is generated every time the UPF switches to another ISE server.

OAM Support

Bulk Statistics

Following new bulk statistics are supported for the user access control through SGACL feature.

SCHEMA: UPF

Statistics

Description
downlink-total-pkts-sgacl-matched Total downlink packets matched against SGACL
downlink-total-bytes-sgacl-matched Total downlink bytes matched against SGACL
downlink-total-pkts-sgacl-dropped Total downlink packets dropped due to SGACL match
downlink-total-bytes-sgacl-dropped

Total downlink bytes dropped due to SGACL match