https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803626#M485054 <P>Trying to understand and apply policy set on ISE 2.4 on the lab environment. Your&nbsp;comments and advice on ISE policy that I just built are appropriated.&nbsp;</P> <OL> <LI><STRONG>Policy set name</STRONG> is self-explanatory</LI> <LI>Conditions: Device must be Wired_802.1x <EM>or</EM> Wired_MAB and be connected to Karim_lab-switch.</LI> <LI>Use the allowed protocols that are in Default Network Access<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Policy set name.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30296iD9FCA71E6E613BFE/image-size/large?v=v2&amp;px=999" role="button" title="Policy set name.jpg" alt="Policy set name.jpg" /></span></LI> </OL> <P><STRONG>AUTH_C Policy</STRONG></P> <OL> <LI>AUTH_C Policy name is self-explanatory</LI> <LI>Conditions: Device must be Wired_802.1x <EM>or</EM> Wired_MAB and be connected to Karim_lab-switch.</LI> <LI>Use internal users and if it fails continue to default.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AUTH_C Policy.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30297i73A8100E08BFE4FA/image-size/large?v=v2&amp;px=999" role="button" title="AUTH_C Policy.jpg" alt="AUTH_C Policy.jpg" /></span></LI> </OL> <P>&nbsp;</P> <P><STRONG>AUTH_Z Policy</STRONG></P> <OL> <LI>AUTH_Z Policy name is self-explanatory</LI> <LI>Conditions: Device must be Wired_802.1x <EM>or</EM> Wired_MAB and be connected to Karim_lab-switch.</LI> <LI>Result : Permit access to Karim_lab-switch.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AUTH_Z Policy.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30298i8F878B17517211CC/image-size/large?v=v2&amp;px=999" role="button" title="AUTH_Z Policy.jpg" alt="AUTH_Z Policy.jpg" /></span></LI> </OL> Sun, 17 Feb 2019 17:36:16 GMT BigK 2019-02-17T17:36:16Z https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803626#M485054 <P>Trying to understand and apply policy set on ISE 2.4 on the lab environment. Your&nbsp;comments and advice on ISE policy that I just built are appropriated.&nbsp;</P> <OL> <LI><STRONG>Policy set name</STRONG> is self-explanatory</LI> <LI>Conditions: Device must be Wired_802.1x <EM>or</EM> Wired_MAB and be connected to Karim_lab-switch.</LI> <LI>Use the allowed protocols that are in Default Network Access<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Policy set name.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30296iD9FCA71E6E613BFE/image-size/large?v=v2&amp;px=999" role="button" title="Policy set name.jpg" alt="Policy set name.jpg" /></span></LI> </OL> <P><STRONG>AUTH_C Policy</STRONG></P> <OL> <LI>AUTH_C Policy name is self-explanatory</LI> <LI>Conditions: Device must be Wired_802.1x <EM>or</EM> Wired_MAB and be connected to Karim_lab-switch.</LI> <LI>Use internal users and if it fails continue to default.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AUTH_C Policy.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30297i73A8100E08BFE4FA/image-size/large?v=v2&amp;px=999" role="button" title="AUTH_C Policy.jpg" alt="AUTH_C Policy.jpg" /></span></LI> </OL> <P>&nbsp;</P> <P><STRONG>AUTH_Z Policy</STRONG></P> <OL> <LI>AUTH_Z Policy name is self-explanatory</LI> <LI>Conditions: Device must be Wired_802.1x <EM>or</EM> Wired_MAB and be connected to Karim_lab-switch.</LI> <LI>Result : Permit access to Karim_lab-switch.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AUTH_Z Policy.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30298i8F878B17517211CC/image-size/large?v=v2&amp;px=999" role="button" title="AUTH_Z Policy.jpg" alt="AUTH_Z Policy.jpg" /></span></LI> </OL> Sun, 17 Feb 2019 17:36:16 GMT https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803626#M485054 BigK 2019-02-17T17:36:16Z https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803749#M485056 <P>You are using AND operation in your configuration which wrong and should be OR. Also, you can't have two authorization profiles as result in one rule</P> Mon, 18 Feb 2019 08:04:00 GMT https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803749#M485056 Mohammed al Baqari 2019-02-18T08:04:00Z https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803811#M485060 Based on your screenshot a device needs to be authenticated with bot dot1x AND mab. Your permit access authorization policies will conflict your karim_lab_switch authorization policy. What is you are trying to do? Device admin? or dot1x for a network device? Mon, 18 Feb 2019 06:08:30 GMT https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803811#M485060 socratesp1980 2019-02-18T06:08:30Z https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803853#M485064 <P>Hi,</P> <P>Change the AND condition with OR, it can not be 802.1X and MAB.</P> <P>Also the Authorz Profile is wrong, choose one of them.</P> <P>&nbsp;</P> Mon, 18 Feb 2019 07:38:44 GMT https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3803853#M485064 bern81 2019-02-18T07:38:44Z https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3804250#M485066 <P>&nbsp;</P> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/292493">@Mohammed al Baqari</a></P> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/266761">@socratesp1980</a></P> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/529249">@bern81</a></P> <P>Thanks!</P> <P>&nbsp;</P> <P>what I am trying to do is to have devices&nbsp;connected to other switches won't match my policy set.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE_POLCY_SET.JPG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30345iE5B10D614D3CC592/image-size/large?v=v2&amp;px=999" role="button" title="ISE_POLCY_SET.JPG" alt="ISE_POLCY_SET.JPG" /></span></P> <P>&nbsp;</P> Mon, 18 Feb 2019 17:17:33 GMT https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3804250#M485066 BigK 2019-02-18T17:17:33Z https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3804484#M485068 Thats fine. Change and to or and have single profile in authorization. It will do what you want Tue, 19 Feb 2019 00:24:43 GMT https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3804484#M485068 Mohammed al Baqari 2019-02-19T00:24:43Z https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3806120#M485071 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/292493">@Mohammed al Baqari</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks Mo!</P> <P>could you kindly show me how to achieve that with a&nbsp;<SPAN>single profile in authorization ? </SPAN></P> <P>&nbsp;</P> <P><SPAN>Much appreciate&nbsp;it!</SPAN></P> <P>&nbsp;</P> Wed, 20 Feb 2019 18:40:39 GMT https://community.cisco.com/t5/network-access-control/ise-policy/m-p/3806120#M485071 BigK 2019-02-20T18:40:39Z