topic Re: ISE 2.4 Authorization policy exceptions in Network Access Control

ISE 2.4 Authorization policy exceptions

ssokolic — Thu, 06 Sep 2018 15:17:58 GMT

I deployed a 2.4 ISE .ova in our customers test lab. It's used as our EPNM Radius server. I've created the LDAP external identity source successfully along with authorization profiles. Like I did in ISE 1.4. Now I'm trying to set up Authorization Policy exceptions. The Policy UI in 2.4 is much different from the 1.4 UI. In our 1.4 ISE I was able to define authorization policy exceptions like the attached ISE 1.4 screenshot shows with conditions based on the created LDAP groups. But in 2.4 I'm confused on where I would do this. In the attached ISE 2.4 screenshot I see local exceptions and global exceptions as shown on the default policy. Is this where I would define these exceptions? What would be the difference between local vs. global in this case? If I try to define exceptions like they were defined in the ISE 1.4 instance I don't have any selections containing our defined LDAP groups. My apologies as I'm not a security nor ISE expert by any means. Any help would be greatly appreciated.

Re: ISE 2.4 Authorization policy exceptions

paul — Thu, 06 Sep 2018 17:43:38 GMT

In your 1.4 ISE environment you haven't enabled policy sets which is why the GUI looks different. Policy Sets have been around since 1.2, but they were disabled by default. To mimic the screen shot you want to use the Global Exception. Once you add a line to the Global Exception it will appear in all your policy sets. The Local Exceptions are only applied to the policy set your are in.

Re: ISE 2.4 Authorization policy exceptions

ssokolic — Fri, 07 Sep 2018 21:47:48 GMT

Thanks Paul for the solution. Once I created the new conditions in the global exceptions on the default policy set users now have access to our EPNM servers.