topic Re: How to configure to process policy set by policy set at ISE 3.0 in Network Access Control

How to configure to process policy set by policy set at ISE 3.0

journey jane — Sat, 07 Jan 2023 04:13:50 GMT

Hello all,

Let me ask some helps regarding ISE multiple policy set, i'm trying to configure my policy sets to get segregate for each.

For example, we have two policy set as (Building1st-Posture-PolicySet and Building2nd-Posture-PolicySet)

For each policy set, i have authorization and authentication policies for multiple departments. As i expected is 'If user not found at Building2nd-Posture-PolicySet and it should not meeting with any authorization profile and it should go on to check user at Building1st-Posture-PolicySet and apply authorization profile accordingly but it does not work as expected and if user not found at Building2nd-Posture-PolicySet, it get reject with Default-Deny of Authorization policy of Building2nd-Posture-PolicySet and did not continue to process top-to-down until Building1st-Posture-PolicySet. So, all of users who are at Building1st-Posture-PolicySet get Deny.

How can i configure to process top-to-down policy set by policy set? Is there anyone experienced about that? Thanks.

Re: How to configure to process policy set by policy set at ISE 3.0

Rob Ingram — Sat, 07 Jan 2023 08:36:02 GMT

@journey jane at present the conditions to match the Policy Sets are identical (Wired Dot1x and Wired MAB). You need to distinguish between them with an additional unique condition. You can group the NAD (switches) for each building in to a different Network Device Group (NDG) and use this in the policy set to distinguish between the different connection requests depending where they are coming from.

I personally would just combine those 2 Policy Sets into 1 and use the different conditions within the authorisation rules to achieve the same result.

Re: How to configure to process policy set by policy set at ISE 3.0

Rodrigo Diaz — Sat, 07 Jan 2023 16:43:44 GMT

Hello @journey jane , the approach that I would take is to add an extra condition within the couple of policy sets that you have created in order to differentiate if the request is coming from building 1 or 2, the easiest way it would be if you create a device group and involves all the NAD that you have in building 1 and then use a condition like the one below ( notice that instead of SWITCH it would have to be the NAD group of building 1) ,

for further reference :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_secure_wired_access.html#ID1661

Re: How to configure to process policy set by policy set at ISE 3.0

journey jane — Tue, 10 Jan 2023 05:24:40 GMT

Thanks @Rob Ingram for the input. When i modify condition by adding devices group. it works well.

Re: How to configure to process policy set by policy set at ISE 3.0

journey jane — Tue, 10 Jan 2023 05:25:33 GMT

Thanks @Rodrigo Diaz for the input. When i modify condition by adding devices group as you mentioned. it works well.