Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
0
Helpful
0
Replies

Default ISE 2.1 policies

powys
Level 1
Level 1

‎09-21-2016 11:24 AM - edited ‎03-11-2019 12:05 AM

As a migration from ACS to ISE seems to devour the ISE default policies (meaning - as far as I can tell - that you've got to either clone-and-default or spin up a fresh ISE VM in order to get a copy of them) I've put a copy of them here. The steps below will recreate your out-of-the-box Authorization Policies.

Hopefully someone will find this useful.

Wireless Black List Default
ENABLED
If Endpoint Identity Groups -> Blacklist
AND Select Existing Condition from Library -> Compound Conditions -> Wireless_Access
Then Standard -> Blackhole_Wireless_Access

Profiled Cisco IP Phones
ENABLED
If Endpoint Identity Groups -> Profiled -> Cisco-IP-Phone
Then Standard -> Cisco_IP_Phones

Profiled Non Cisco IP Phones
ENABLED
If Any AND Select Existing Condition from Library -> Compound Conditions -> Non_Cisco_Profiled_Phones
Then Standard -> Non_Cisco_IP_Phones

Compliant_Devices_Access
DISABLED
If Any AND Compound Conditions -> Network_Access_Authentication_Passed
AND Add Condition from Library -> Compound Conditions -> Compliant_Devices
Then Standard -> PermitAccess

Employee_EAP_TLS
DISABLED
If Any AND Select Existing Condition from Library -> Compound Conditions -> Wireless_802.1X
AND Add Condition from Library -> Compound Conditions -> BYOD_is_Registered
AND Add Condition from Library -> Compound Conditions -> EAP-TLS
AND Add Condition from Library -> Compound Conditions -> MAC_in_SAN
Then Standard -> PermitAccess
AND Security Group -> BYOD

Employee_Onboarding
DISABLED
If Any AND Select Existing Condition from Library -> Compound Conditions -> Wireless_802.1X
AND Add Condition from Library -> Compound Conditions -> EAP-MSCHAPv2
Then Standard -> NSP_Onboard
AND Security Group -> BYOD

Wi-Fi_Guest_Access
DISABLED
If Any AND Select Existing Condition from Library -> Compound Conditions -> Guest_Flow
AND Add Condition from Library -> Compound Conditions -> Wireless_MAB
Then Standard -> PermitAccess
AND Security Group -> Guests

Wi-Fi_Redirect_to_Guest_Login
DISABLED
If Any AND Select Existing Condition from Library -> Compound Conditions -> Wireless_MAB
Then Standard -> Cisco_WebAuth

Basic_Authenticated_Access
ENABLED
If Any AND Compound Conditions -> Network_Access_Authentication_Passed
Then Standard -> PermitAccess

Default
ENABLED
If no matches, then Standard -> DenyAccess

If Default has been renamed Basic_Authenticated_Access (it did on ours) you'll need to set it as above, then call your Basic_Authenticated_Access rule something else.

------------

If you've followed Jason Kunst's excellent ISE 2.0 Wireless Guest Setup Guide then you'll also want to do the following if your guest rules have been eaten:-

Enable the above Wi-Fi_Redirect_to_Guest_Login rule

GuestPermit
ENABLED
If Endpoint Identity Groups -> GuestEndpoints
AND Add Condition from Library -> Compound Conditions -> Wireless_MAB
Then Standard -> PermitAccess

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents