Re: Cisco ISE 3.3 Authorization Policy

nalhafnawi · ‎09-24-2024

Hey guys,

I am migrating old ISE 2.1 configuration to new ISE 3.3 by just copyingthe configs, As i reach to Authorization policies on ISE 2.1 i noticed that when you construct a policy you can choose identity group and condition but in identity group you can choose (Any) as all user and endpoint identity groups included in the policy, I can not find that in the new ISE 3.3, how can i include all identity groups in an authorization policy on ISE 3.3 ?

MHM Cisco World · ‎09-24-2024

https://community.cisco.com/t5/network-security/configuring-endpoint-policies-on-ise-3-2/td-p/5047184

Check this

MHM

Arne Bier · ‎09-24-2024

Hi @nalhafnawi

Yes that condition is a leftover from old version of ISE. Effectively, that condition will always match, by nature of the fact that an Endpoint must be in one Endpoint Group, and "any" will make that True. And to be honest, that statement is redundant, and you could use the Default (the final line) because that has the same meaning. However, some people like creating this penultimate Rule for documentation purposes, so that you can give this Rule a meaningful name (not "Default") and then later find the Authorization Rule in your Live Logs. A substitute for your "If Any" would be the one shown in red below:

In the case of MAB, be careful though. If you have set the Authentication Policy Options "If User Not Found then CONTINUE", then the condition "AuthenticationPassed" will be FALSE. Think it through, and if you have this case, and you want to treat and unknown endpoint the same as a known endpoint in the final "Catchall", then you can do this (I use this Catchall logic for all my wired MAB Authorization Rules, and it always matches - the Default Rule gets no hits at all - which is what you want)