An architect is designing an SD-Access fabric for a campus network that requires segmentation of guest, employee, and IoT traffic. The design must use Cisco TrustSec for policy enforcement. Which component is responsible for assigning the Security Group Tag (SGT) to endpoints upon authentication?
ISE authenticates endpoints and assigns SGTs, which are then used for policy enforcement in the fabric.
Why this answer
Cisco ISE is the policy decision point in a TrustSec-enabled SD-Access fabric. When an endpoint authenticates via 802.1X, MAB, or web authentication, ISE evaluates the authentication result and the applicable authorization policy, then dynamically assigns a Security Group Tag (SGT) to the endpoint. This SGT is passed to the network access device (e.g., fabric edge node) via RADIUS attributes in the Access-Accept message, enabling consistent policy enforcement throughout the fabric.
Exam trap
Cisco often tests the distinction between the policy decision point (ISE) and the policy enforcement point (fabric edge node), so the trap here is that candidates mistakenly think the fabric edge node assigns the SGT because it applies the tag to packets, but the assignment occurs during authentication by ISE.
How to eliminate wrong answers
Option B is wrong because the fabric edge node is the enforcement point that applies the SGT to traffic based on the tag received from ISE, but it does not assign the SGT itself. Option C is wrong because the fabric control plane node (e.g., LISP map-server) manages endpoint-to-location mappings and handles EID-to-RLOC resolution, not SGT assignment. Option D is wrong because Cisco DNA Center is the management and orchestration platform for the SD-Access fabric; it provisions policies and configurations but does not dynamically assign SGTs during authentication.