Solution Overview

You can use Cisco Identity Services Engine (ISE) to define and use security group tags (SGTs) for classifying traffic in a Cisco TrustSec network. SGTs specify the privileges of a traffic source within a trusted network. Cisco ISE and Cisco TrustSec use a feature called Security Group Access (SGA) to apply SGT attributes to packets as they enter the network. These SGTs correspond to a user's assigned security group within ISE or TrustSec. If you configure ISE as an identity source, Secure Access can use these SGTs to filter traffic.

With this integration, Cisco Secure Access administrators can use the rich enterprise context shared from Cisco ISE to configure simpler but granular policy control towards internet/SaaS for branch users. Cisco ISE, in conjunction with Catalyst SD-WAN, shares the network context (ISE SGTs and SD-WAN VPN IDs) with Cisco Secure Access.

Use cases for context-aware security enforcement can revolve around employees, guests, or IoT networks behind a Catalyst SD-WAN branch that need to securely access internet/SaaS applications, with Cisco Secure Access providing cloud-based security enforcement.

📘

Note:

For information about context sharing with Cisco Catalyst SD-WAN, see Integrate Catalyst SD-WAN with Secure Access.

---

ISE Integration and Catalyst SD-WAN for Context Sharing< Solution Overview > Components and Prerequisites