Guides
Secure Access Help Center

Manage Security Group Tags

A Security Group Tag (SGT) specifies the privileges of a traffic source within a trusted network. Cisco ISE and Cisco TrustSec use a feature called Security Group Access (SGA) to apply SGT attributes to packets as they enter the network. These SGTs correspond to a user's assigned security group within ISE or TrustSec. If you configure ISE as an identity source, Secure Access can use these SGTs to filter traffic.

Source Security Group Tag (SGT) Matching

If you use ISE to define and use security group tags (SGT) for classifying traffic in a Cisco TrustSec network, you can write access control rules that use SGT as a source matching criteria. This enables you to block or allow access based on security group membership rather than IP addresses or network objects.

Limitations:

  • Security Group Tags can only be used as source and not destination matching criteria in access control rules.
  • RA-VPNs do not receive SGT mappings directly through RADIUS.

Delete an Internal Network Resource < Manage Security Group Tags > Manage SD-WAN Service VPN IDs

Updated about 2 months ago