topic Re: ISE Policy Set Question in Network Access Control

ISE Policy Set Question

benolyndav — Thu, 04 Aug 2022 15:25:54 GMT

We have an exisiting ISE deployment and I am in the middle of trying to set up anyconnect, would I be best creating a new policy set for anyconnect use and would this interfere with the esisting Policy Set.?

Also whats the best way to create a Radius rule for Anyconnect I have a AD group for the authorisation so was thinking of for AuthZ

policy =

Network Device Firewall and AD group = then AuthZ profile for a DACL for Anyconnect users.

is this ok .??

Thanks

Re: ISE Policy Set Question

Rob Ingram — Thu, 04 Aug 2022 15:38:38 GMT

@benolyndav if this is for AnyConnect users for Remote Access, then yes personally I'd setup a Policy Set which is separate to Wired/Wireless. You can match on a condition of the NAS IP address of the Firewall (ASA/FTD) for the Policy Set, which would therefore not apply to existing Wired/Wireless policy set - though that depends on the condition you already use.

For specific Authorisation rules you can match on the AD Group(s), if multiple tunnel-groups you can match on the ASA/FTD tunnel group - use the condition "Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type" EQUAL <tunnel-group name>

Re: ISE Policy Set Question

benolyndav — Thu, 04 Aug 2022 16:50:51 GMT

Hi Rob
so .

1.new policy set

2.Authentication = Radius Nas IP Address + x.x.x.x, is radius allowe when using default network access as allowed protocols.??

also the below looks like something i will use can it be used for FTD.?

also are policy sets/rules checked ina top down fashion untill a match is found ??

Thanks

Re: ISE Policy Set Question

Rob Ingram — Thu, 04 Aug 2022 16:58:22 GMT

Hi @benolyndav

Create a new Policy Set, the condition to match the Policy Set can be "Radius Nas IP Address + x.x.x.x". Yes, the Policy Sets are matched top down, if the connection request does not come from the FTD, then the next policy set would be attempted.

Yes, the authorisation rule example would work - the FTD uses the same RADIUS attributes as the ASA. Authorisation Rules are also matched from top down, until a match found.