Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
20
Helpful
6
Replies

ISE policy

BigK
Level 1
Level 1

‎02-17-2019 09:36 AM

Trying to understand and apply policy set on ISE 2.4 on the lab environment. Your comments and advice on ISE policy that I just built are appropriated. 

  1. Policy set name is self-explanatory
  2. Conditions: Device must be Wired_802.1x or Wired_MAB and be connected to Karim_lab-switch.
  3. Use the allowed protocols that are in Default Network AccessPolicy set name.jpg

AUTH_C Policy

  1. AUTH_C Policy name is self-explanatory
  2. Conditions: Device must be Wired_802.1x or Wired_MAB and be connected to Karim_lab-switch.
  3. Use internal users and if it fails continue to default.AUTH_C Policy.jpg

 

AUTH_Z Policy

  1. AUTH_Z Policy name is self-explanatory
  2. Conditions: Device must be Wired_802.1x or Wired_MAB and be connected to Karim_lab-switch.
  3. Result : Permit access to Karim_lab-switch.AUTH_Z Policy.jpg
0 Helpful
6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎02-17-2019 07:23 PM - edited ‎02-18-2019 12:04 AM

You are using AND operation in your configuration which wrong and should be OR. Also, you can't have two authorization profiles as result in one rule

socratesp1980
Level 1
Level 1

‎02-17-2019 10:08 PM

Based on your screenshot a device needs to be authenticated with bot dot1x AND mab. Your permit access authorization policies will conflict your karim_lab_switch authorization policy. What is you are trying to do? Device admin? or dot1x for a network device?

bern81
Level 1
Level 1
In response to socratesp1980

‎02-17-2019 11:38 PM

Hi,

Change the AND condition with OR, it can not be 802.1X and MAB.

Also the Authorz Profile is wrong, choose one of them.

 

BigK
Level 1
Level 1
In response to bern81

‎02-18-2019 09:10 AM - edited ‎02-18-2019 09:17 AM

 

@Mohammed al Baqari

@socratesp1980

@bern81

Thanks!

 

what I am trying to do is to have devices connected to other switches won't match my policy set.

ISE_POLCY_SET.JPG

 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to BigK

‎02-18-2019 04:24 PM

Thats fine. Change and to or and have single profile in authorization. It will do what you want

BigK
Level 1
Level 1
In response to Mohammed al Baqari

‎02-20-2019 10:40 AM

@Mohammed al Baqari 

 

Thanks Mo!

could you kindly show me how to achieve that with a single profile in authorization ?

 

Much appreciate it!

 

0 Helpful
Customers Also Viewed These Support Documents