Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
5
Helpful
2
Replies

ISE 2.4 Authorization policy exceptions

Go to solution
ssokolic
Cisco Employee
Cisco Employee

‎09-06-2018 08:16 AM - edited ‎09-06-2018 08:17 AM

I deployed a 2.4 ISE .ova in our customers test lab. It's used as our EPNM Radius server. I've created the LDAP external identity source successfully along with authorization profiles. Like I did in ISE 1.4. Now I'm trying to set up Authorization Policy exceptions.  The Policy UI in 2.4 is much different from the 1.4 UI. In our 1.4 ISE I was able to define authorization policy exceptions like the attached  ISE 1.4 screenshot shows with conditions based on the created LDAP groups.  But in 2.4 I'm confused on where I would do this. In the attached ISE 2.4 screenshot I see local exceptions and global exceptions as shown on the default policy. Is this where I would define these exceptions? What would be the difference between local vs. global in this case? If I try to define exceptions like they were defined in the ISE 1.4 instance I don't have any selections containing our defined LDAP groups. My apologies as I'm not a security nor ISE expert by any means. Any help would be greatly appreciated. 

 

1 person had this problem
Preview file
169 KB
Preview file
186 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎09-06-2018 10:43 AM

In your 1.4 ISE environment you haven't enabled policy sets which is why the GUI looks different.  Policy Sets have been around since 1.2, but they were disabled by default.  To mimic the screen shot you want to use the Global Exception.  Once you add a line to the Global Exception it will appear in all your policy sets.  The Local Exceptions are only applied to the policy set your are in.

View solution in original post

2 Replies 2

Go to solution
paul
Level 10
Level 10

‎09-06-2018 10:43 AM

In your 1.4 ISE environment you haven't enabled policy sets which is why the GUI looks different.  Policy Sets have been around since 1.2, but they were disabled by default.  To mimic the screen shot you want to use the Global Exception.  Once you add a line to the Global Exception it will appear in all your policy sets.  The Local Exceptions are only applied to the policy set your are in.

Go to solution
ssokolic
Cisco Employee
Cisco Employee
In response to paul

‎09-07-2018 02:47 PM

Thanks Paul for the solution. Once I created the new conditions in the global exceptions on the default policy set users now have access to our EPNM servers.

0 Helpful
Customers Also Viewed These Support Documents