ISE Authorization for Segmentation
Objective
In this lesson you will configure Cisco Identity Services Engine (ISE) authorization policies that assign Security Group Tags (SGTs) for TrustSec segmentation based on user identity (AD group membership) and posture (posture assessment result). This matters in production because SGTs let you implement group-based policy that scales — you tag endpoints with a role instead of maintaining per-IP ACLs. Real-world scenario: an organization (NHPREP) wants contractors to receive a different SGT than employees, and devices failing posture checks must be placed into a quarantine SGT automatically.
Topology
ASCII topology (showing the ISE node and one fabric edge switch used for verification). Interfaces show IPs for each node.
ISE Primary (PAN)
[ISE-PAN] ise.lab.nhprep.com
Interface: GigabitEthernet0/0 IP: 10.1.1.10/24
Services: pxGrid (HTTPS), ERS (REST)
Fabric Edge Switch
[SW-EDGE] switch1.lab.nhprep.com
Interface: GigabitEthernet1/1 IP: 10.1.1.1/24
TrustSec/CTS SGT tagging: inline or downloadable ACLs (policy enforcement)
Note: This lesson focuses on the ISE-side authorization policy and verification from the switch. The reference material emphasizes enabling pxGrid and ERS services and the ports required (TCP 443, 9060, 5222, 8910) for control-plane integrations.
Device Table
| Device | Hostname | Management IP |
|---|---|---|
| ISE Primary (PAN) | ise.lab.nhprep.com | 10.1.1.10 |
| Fabric Edge Switch | switch1.lab.nhprep.com | 10.1.1.1 |
Quick Recap
Refer to the campus fabric introduced in Lesson 1. The fabric edge switches are configured to communicate with ISE for authentication and TrustSec SGT distribution. In previous lessons you configured network access (802.1X/MAB) and device profiling. This lesson adds the authorization policy rules in ISE to map identity and posture results to SGTs. No new devices are introduced.
Key Concepts
- Security Group Tag (SGT): a label assigned by ISE that represents an endpoint role. Think of an SGT like a jersey color in a sports match — the network uses the color (SGT) to decide who can talk to whom, instead of listing every player's name (IP).
- In production, SGTs reduce ACL count and complexity; policies are applied based on tag-to-tag relationships.
- Authorization Policy: ISE evaluates authentication and posture results, then enforces an authorization rule that can assign an SGT. The decision point happens after an endpoint authenticates and posture (if configured) completes.
- Packet/flow level: When a switch receives the authorization from ISE, it either tags traffic inline (if SGT in data plane) or enforces via downloadable ACLs mapped to SGT.
- Endpoint Posture: a posture assessment can produce results like Compliant/Noncompliant. ISE policy uses those results to place failing endpoints into a quarantine SGT.
- Typical production use: automatically isolate devices that fail AV/version checks.
- ERS & pxGrid: ISE exposes external REST and pxGrid services to share identity/context. pxGrid uses HTTPS and the ports TCP/443, TCP/9060 (pxGrid control plane), and other messaging ports (TCP/5222, TCP/8910). Ensure these ports are reachable between ISE and consumers (e.g., Catalyst Center) to enable SGT distribution and context sharing.
Step-by-step configuration
Each step below explains the WHY, shows the exact GUI/navigation commands (presented in a code block), explains the effect, and then provides a verification command with expected output.
Step 1: Enable pxGrid and ERS services on the ISE PAN
What we are doing: Enable the pxGrid and ERS services on the ISE Primary Admin Node (PAN). These services allow external systems to query and receive identity and SGT information and enable REST APIs for programmatic control. This step is required so fabric controllers and management platforms can obtain SGTs and endpoint context.
ISE GUI: Log in to https://ise.lab.nhprep.com
ISE GUI Navigation:
1. Administration > System > Deployment
2. Select ISE Host Name: ise.lab.nhprep.com (PAN)
3. Click 'Edit' > Services tab
4. Enable pxGrid Services checkbox
5. Administration > Settings > ERS Settings
6. Enable ERS for Read/Write on PAN
7. Save
What just happened: Enabling pxGrid opens the pxGrid control plane on the PAN and allows trusted services to register as clients for identity/context. Enabling ERS Read/Write on the PAN permits external systems with credentials to perform RESTful read/write calls against the ISE ERS API — necessary for integrations that need to push or pull endpoint-to-group mappings or manage objects.
Real-world note: In distributed ISE deployments enable ERS as Read on secondary nodes to reduce configuration drift, but keep Read/Write on the PAN only.
Verify:
Verification via HTTPS port and pxGrid control connectivity:
1. From a management host, test HTTPS connectivity to ISE pxGrid port:
curl -k -s -o /dev/null -w "%{http_code}\n" https://ise.lab.nhprep.com:443
Expected output:
200
2. Confirm pxGrid control port reachable:
(Use nc or similar to test TCP 9060)
nc -vz ise.lab.nhprep.com 9060
Expected output:
Connection to ise.lab.nhprep.com 9060 port [tcp/*] succeeded!
Step 2: Create SGT (Security Group Tag) objects in ISE
What we are doing: Create SGT objects that will be assigned by authorization rules. Typical SGTs in this lesson: "Employees", "Contractors", and "Quarantine". These objects are referenced by authorization profiles later, and pushed to network devices.
ISE GUI Navigation:
1. Administration > Identity Management > Groups > Security Group Tags
2. Click 'Add' and create:
- Name: Employees
- Name: Contractors
- Name: Quarantine
3. Save changes
What just happened: You created logical labels (SGTs) in ISE's identity store. ISE now knows these tags and can include them in authorization profiles. Network devices that are properly integrated will accept these tags and use them for enforcement.
Real-world note: Use consistent naming and document tag numbers and meanings across teams; mismatched SGT names cause policy confusion in large fabrics.
Verify:
ISE GUI Verification:
1. Administration > Identity Management > Groups > Security Group Tags
Expected display:
- SGT Name Description
- Employees (created by admin)
- Contractors (created by admin)
- Quarantine (created by admin)
Step 3: Create Authorization Profiles to Map SGTs
What we are doing: Create authorization profiles that assign the SGT to a session. Authorization profiles are applied when an authorization policy rule matches. We'll create profiles for Employee-SGT, Contractor-SGT, and Quarantine-SGT.
ISE GUI Navigation:
1. Policy > Policy Elements > Results > Authorization > Authorization Profiles
2. Click 'Add' and create profiles:
- Profile Name: Assign-Employees-SGT
- Results: Security Group Tag => Employees
- Profile Name: Assign-Contractors-SGT
- Results: Security Group Tag => Contractors
- Profile Name: Assign-Quarantine-SGT
- Results: Security Group Tag => Quarantine
3. Save profiles
What just happened: These authorization profiles encapsulate the SGT assignment action. When an authorization rule is evaluated and matches, the corresponding profile is returned to the network device (switch) and that device applies the SGT to the session (usually via TrustSec inline tagging or ACL mapping).
Real-world note: Profiles can also include downloadable ACLs for non-TrustSec capable devices; here we focus on SGT assignment for fabric-capable equipment.
Verify:
ISE GUI Verification:
1. Policy > Policy Elements > Results > Authorization > Authorization Profiles
Expected display:
- Assign-Employees-SGT Security Group Tag: Employees
- Assign-Contractors-SGT Security Group Tag: Contractors
- Assign-Quarantine-SGT Security Group Tag: Quarantine
Step 4: Create Authorization Policy Rules (Identity + Posture)
What we are doing: Implement specific policy rules that use identity (AD group) and posture result to return the SGT authorization profiles. This binds who the user is and the health of the device to the tag applied.
ISE GUI Navigation:
1. Policy > Authorization
2. Under the Authorization Policy set, create rules in order:
- Rule 1: If (ADGroup == "NHPREP_Contractors") then Assign-Contractors-SGT
- Rule 2: If (Posture = Noncompliant) then Assign-Quarantine-SGT
- Rule 3: If (ADGroup == "NHPREP_Employees" AND Posture = Compliant) then Assign-Employees-SGT
3. Save policy
What just happened: ISE will evaluate policy rules from top to bottom. When a session authenticates, the policy engine checks group membership and posture results. For example, a contractor will match Rule 1 and immediately be given Contractor SGT. A device failing posture will match Rule 2 and be quarantined even if in an Employees group.
Real-world note: Order matters. Place explicit quarantine rules above general identity rules to ensure noncompliant devices are isolated before identity-based tag assignment.
Verify:
ISE GUI Verification:
1. Policy > Authorization
Expected display (example):
- Rule 1: NHPREP_Contractors -> Assign-Contractors-SGT
- Rule 2: Posture == Noncompliant -> Assign-Quarantine-SGT
- Rule 3: NHPREP_Employees && Posture == Compliant -> Assign-Employees-SGT
Step 5: Verify SGT assignment from a fabric edge switch session
What we are doing: From the switch, verify that a session received the expected SGT after authentication. This demonstrates the end-to-end flow: authentication → authorization → SGT delivered to switch.
Switch CLI:
1. Show active sessions and TrustSec/CTS tags for a test endpoint:
show authentication sessions interface GigabitEthernet1/1 details
2. Show CT S SGT mapping (example command varies by platform; validate session attributes):
show cts role-based enforcement sessions
Expected output:
- Authentication session on interface GigabitEthernet1/1
Username: alice@lab.nhprep.com
Authorization Result: Assign-Employees-SGT
Security Group Tag: Employees
Enforcement: TrustSec inline tag applied
What just happened: The switch queried ISE during the session lifecycle, received the authorization profile containing the SGT, and applied the tag to the session. The displayed session shows the username, authorization result, and the tag applied.
Real-world note: On real switches, the exact "show" commands differ by platform. The important outputs show the session, username, authorization profile, and SGT applied.
Verify:
Switch CLI Verification:
show authentication sessions interface GigabitEthernet1/1 details
Expected output (full):
Interface: GigabitEthernet1/1
MAC Address: 0011.2233.4455
IP Address: 10.1.1.100
Authentication Method: 802.1X
Authenticated User: alice@lab.nhprep.com
Authentication Status: AUTHENTICATED
Authorization Profile: Assign-Employees-SGT
Security Group Tag: Employees
Session Started: 2026-04-02 10:15:23
Verification Checklist
- Check 1: pxGrid and ERS are enabled on the PAN. Verify with HTTPS 443 and TCP 9060 connectivity to ise.lab.nhprep.com.
- Check 2: SGT objects and Authorization Profiles exist in ISE. Verify in Administration > Identity Management and Policy Elements > Authorization Profiles.
- Check 3: Authorization policy rules match identity and posture to correct profiles and the fabric edge switch shows the session with the expected SGT applied. Verify with switch show commands.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| pxGrid/ERS ports unreachable from Catalyst Center or other integrator | Firewall blocking TCP 9060/443/5222/8910 between systems | Open required ports (TCP 443, 9060 and messaging ports) between components; verify with nc/curl |
| Authorization policy returns Employee SGT despite noncompliant posture | Rule order places identity-based rule above posture quarantine rule | Re-order rules so posture (Noncompliant -> Quarantine) is evaluated before identity rules |
| Switch shows no SGT for session even though ISE has assigned profile | Network device lacks TrustSec configuration or pxGrid/ERS not configured for sharing | Ensure network device is integrated with ISE and supports TrustSec; verify ERS/pxGrid registration and credentials |
| Multiple SGTs applied or inconsistent behaviors | Duplicate profiles or overlapping rules with conflicting results | Audit policy elements for duplicates; make rules explicit and mutually exclusive where appropriate |
Key Takeaways
- Authorization policies in ISE tie identity and posture to SGTs; SGTs are central to scalable segmentation because they replace IP-based ACLs with role-based enforcement.
- pxGrid and ERS must be enabled on the ISE PAN (and accessible on required ports) so that fabric controllers and management systems can consume identity context and SGT information.
- Rule order matters: place quarantine/noncompliant rules above identity-based rules so failing posture triggers isolation immediately.
- Always verify end-to-end: ISE GUI shows the policy and profile definitions; the fabric edge switch must show the authenticated session and the applied SGT to confirm successful enforcement.
Tip: Treat SGT naming and policy docs as part of change control. In production, inconsistent tags or policy order changes lead to segmentation gaps — use strict documentation and test changes in a lab before production rollout.
This completes Lesson 6: "ISE Authorization for Segmentation". In the next lesson we will cover propagating SGTs and verifying TrustSec flows across the fabric using network assurance and monitoring tools.