I have a question regarding the policy support for the MS390 and Adaptive Policy. Wondering if ISE is the only supported solution or if other competitive solutions are supported to build the policies. I have a customer asking this. Thanks
ISE provides the Authorization in this case by matching a session based on user credentials and context. ISE usually also has the SGT's. But the policies are defined in dashboard. Because it's there you will say which SGT can reach which SGT or not.
I could be wrong but I believe if your own radius solution can return the correct av-pair to the switch you could assign SGT's to usersessions.
ISE is not required but does make assigning SGTs to an Access_accept incredibly easy. You can assign tags in a few ways. 1. Statically to a switchport or an SSID, dynamically via RADIUS av-pair, and in the near future, you will be able to create Network Object Groups and map them to SGTs as a fallback tagging mechanism.