topic Re: ISE Configuration Tidy up tips and tricks in Network Access Control

ISE Configuration Tidy up tips and tricks

SamSmith3 — Fri, 16 Dec 2022 10:44:07 GMT

Hi all,

I am in the process of auditing and tidying up the configuration of our Cisco ISE 3.0 deployment. I would like to do the following as was hoping that there was an easier way to see the relationships between policy sets, Authz Policies, DACLs etc and find what is in use/not in use so I can have a clear out.

- Define the relationships between Policy sets | AuthZ Policies | Authz Profiles | DACLs and so forth

- Define and remove any unused Authz Profiles | DACLs and so forth

- An export of all policy sets and components into CSV of something easier to read rather than going through each one

- An export of all Authz Profiles and components including DACLs into CSV of something easier to read rather than going through each one

- An Export of the portals we have and their components into CSV of something easier to read rather than going through each one

Any help is most appreciated.

Thanks

Sam

Re: ISE Configuration Tidy up tips and tricks

Marcelo Morais — Fri, 16 Dec 2022 12:21:51 GMT

Hi @SamSmith3 ,

1st at Administration > System > Backup & Restore > Policy Export > click the Export Now (Encryption: Export without encryption & Destination: Download file to local computer) ... to download a PolicyConfig.xml file (you can also do this via Support Bundle when you choose Include Policy Configuration).

2nd at PolicyConfig.xml:

a. all <radiusPolicySet> have a:

<name> Policy Set Name </name>
<rank> Position in the Policy Set </rank>
<allowedProtocols> Allowed Protocol Name </allowedProtocols>
<status> ENABLED/DISABLED </status>

b. all <authorRules> have a:

<name> Rule Name </name>
<profiles> Authorization Profile Name </profiles>
<rank> Position in the Rule </rank>
<status> ENABLED/DISABLE </status>

c. all <AznResults> have a:

<Profile description="Authz Profile Description" nadProfileName="NAD Name" name="Name of the Authz Profile">
<option name="Attributes Details">DACL = DACL Name</option>

3rd. for clean up ... check (CRTL-F the PolicyConfig.xml) for:

a. a name="Name of the Authz Profile" inside the <AznResults>, if there is ONLY one match, then you are able to remove this AuthZ Profile.

b. to remove an unused dACL, you must get the name of each dACL (at Policy > Policy Elements > Results > Authorization > Downloadable ACLs) and CTRL-F the PolicyConfig.xml, if there is NO match, then you are able to remove this dACL.

Hope this helps !!!

Re: ISE Configuration Tidy up tips and tricks

SamSmith3 — Fri, 16 Dec 2022 12:21:17 GMT

That's great this really is helpful thank you so much!