Wireless network users authenticate to Cisco ISE using 802.1X through a Cisco Catalyst switch. An engineer must create an updated configuration to assign a security group tag to the user’s traffic using inline tagging to pr server. The configurations were performed:
configured the switch as a RADIUS device in Cisco ISE
configured the wireless LAN controller as a TrustSec device in Cisco ISE created a security group tag for the wireless users
created a certificate authentication profile created an identity source sequence
assigned an appropriate security group tag to the wireless users defined security group access control lists to specify an egress policy
enforced the access control lists on the TrustSec policy matrix in Cisco ISE configured TrustSec on the switch
configured TrustSec on the wireless LAN controller
Which two actions must be taken to complete the configuration? (Choose two.)
- Create static IP-to-SGT mapping for the restricted web server.
- Configure inline tag propagation on the switch and wireless LAN controller.
- Configure Security Group Tag Exchange Protocol to distribute IP to security group tags on Cisco ISE.
- Configure Security Group Tag Exchange Protocol on the switch.
- Configure Security Group Tag Exchange Protocol on the wireless LAN controller.
Answer(s): A,B
Explanation:
In this TrustSec deployment scenario, the objective is to ensure that wireless network users are tagged with a security group tag (SGT) and that their traffic is properly marked using inline tagging. This allows Cisco ISE to enforce policies - such as preventing unauthenticated users from accessing a restricted server.
The configurations already performed include setting up Cisco ISE as the TrustSec AAA server, configuring TrustSec on both the Catalyst switch and the wireless LAN controller (WLC), and creating the necessary SGT and policies for wireless users.
Two additional actions are required:
1. Static IP-to-SGT Mapping for the Restricted Web Server (Option A):The restricted server is likely a non-authenticating endpoint. To enforce security policies (for example, denying access to unauthenticated users), Cisco ISE must be aware of the server’s SGT. This is achieved by creating a static mapping of the server's IP address to an SGT. With this static mapping in place, the network devices can tag traffic originating from or destined for the server with the appropriate SGT, ensuring that the policy enforced by the TrustSec policy matrix is correctly applied.
2. Inline Tag Propagation on the Switch and Wireless LAN Controller (Option B):
Inline tagging is required to propagate the SGT in the data traffic. Although TrustSec has been configured on the switch and WLC, explicit configuration of inline tag propagation ensures that the SGT assigned by ISE is inserted into the packets as they traverse the network. This tagging is crucial for the downstream enforcement of security policies based on SGTs.
Reveal Solution Next Question