Introduction to Secure Group Tagging ( SGT )

Today I am going to talk about the SGT- Secure Group Tagging which is generally used in the Cisco SD-Access design. An SGT is a 16-bit value that the Cisco ISE assigns to the user or endpoint’s session upon login. 

The network infrastructure views the SGT as another attribute to assign to the session and will insert the Layer 2 tag to all traffic from that session.

The customer is a retail organisation, and it accepts credit cards from its customers, which places it under the domain of PCI compliance. Access to any server housing credit card data has to be protected as strictly as any technology will allow. 

In this customer’s case, you can define a rule in the Cisco ISE that looks for machine and user authentication (Extensible Authentication Protocol Chaining). It also verifies that the user is a member of a PCI group in Active Directory and that the machine’s posture is compliant. 

Fig 1.1- Secure Group Tagging
If the user and machine meet all three conditions, then an SGT named “PCI” is assigned. No access is granted to PCI servers without the PCI SGT. 

Cisco ISE will serve as the single source of truth for which SGTs exist, and the Cisco ISE will consider an SGT a policy result. Therefore, you will create one SGT result for each SGT you wish to define in the environment 

In order to use SGTs within your infrastructure, your devices must support SGTs. All Cisco switches and wireless controllers embedded with Cisco TrustSec technology support the assignment of SGTs. An SGT can be assigned dynamically or statically. 

Dynamic classification occurs via an authentication sequence, via 802.1x, MAB, or web authentication. When authentication isn’t available, static classification methods are necessary. In static classification the tag maps to some thing (an IP, subnet, VLAN, or interface) rather than relying on an authorization from the Cisco ISE. 

This process of assigning the SGT is defined as “classification.” These classifications are then transported deeper into the network for policy enforcement.