Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
3
Helpful
10
Replies

ISE Poliy SET

Go to solution
saeedabdelhalimhamada
Level 1
Level 1

‎02-06-2025 03:03 AM

Dear all 

i have 2 policy sets  as i mention 

the problem is i have 2 idinity goup MAC address for printer and one for Phones

1.png

when i enable the printer policy it`s canneled the the other policy in th authiz there is a rule allow wifi with mac address 

---------------

if i enable this policy 

saeedabdelhalimhamada_0-1738839779932.png

this policy not working and all traffic if not found the mac address in the printer`s will deny and not go to the next policy sets 

saeedabdelhalimhamada_1-1738839825491.png

is there any way to make it go the the other policy set 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎02-06-2025 09:32 AM

Assuming you have an authentication rule on the policy set you shared on the last screenshot that points to the internal endpoints then you just need to create the printer authorization rule in the same way you created it in the second screenshot.

You don't have to create a new policy set to each device type or for each authentication type. Usually we split the policy sets in two one for wired and one for wireless, but I would personally prefer having a single policy set and then configuring the multiple authentication and authorization rules in it.

For instance, if you are doing wired MAB for the phones and the printers then you have a single authentication rule for both, and then you create two authorization rules one pointing to the phones identity group and another pointing to the printers identity group, all within the same policy set.

View solution in original post

10 Replies 10

Go to solution
saeedabdelhalimhamada
Level 1
Level 1

‎02-06-2025 03:06 AM

One Group for Printer and another group for WIFI * if i enable the printer policy all traffic match on it include printer and wifi and based on the group of printer only will match all wifi then match in the defualt and deny access is there any why to make the wifi go to the next policy set ??

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎02-06-2025 03:15 AM - edited ‎02-06-2025 03:15 AM

This is not how the system is designed to work. The policy set is choosen first and after this, everything stays in this policy-set.

You need to build your Policy-Sets differently. This is an example of how I do it:

KarstenIwen_0-1738840297044.jpeg

The Guest Flow uses MAB, but also matches on my Guest SSIDs. No Printer would go into this policy set even though it is at the top of the list (top-down processing).

Further down, I catch up everything that is MAB, and there, all Printers and Phones are handled. 

 

0 Helpful

Go to solution
saeedabdelhalimhamada
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2025 03:31 AM

the probem not with guest , the problem with the last authiz profile it`s not guest it`s different and if  put all the polisy set in the top the printer well fall in it`s cuz the authication policy is same and the aurzi proflle will match all internal endpoint

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to saeedabdelhalimhamada

‎02-06-2025 03:50 AM

Mine was an example of how to build policy sets. That is the whole problem with your policy. You have to ensure that all relevant devices end up in the same policy set. That is what the Policy-set conditions are for.

Your policy set is named "Printers MAB", But that is not what the policy set matches on. It only matches on MAB because at time of matching, the system doesn't know that it is a printer.

You have to build your condition either so that this policy set does not match on Phones, or likely better, build one Policy Set for all your devices MAB where you handle Phones and Printers.

0 Helpful

Go to solution
saeedabdelhalimhamada
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2025 03:56 AM

can you recommend how to build another condition that give the ability to make it`s sperated policy sets 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to saeedabdelhalimhamada

‎02-06-2025 04:02 AM

Something like this:

KarstenIwen_0-1738843281854.jpeg

If you know the OUI of the Printers, you can match them directly there. Personally, I would *never* build my policy like that, but hey, everyone has a right for a bad network ...

 

Go to solution
saeedabdelhalimhamada
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2025 04:09 AM

ok can you give me your advice how to build it 

0 Helpful

Go to solution
saeedabdelhalimhamada
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2025 03:46 AM

I need to create 3 MAB separated Policy sets

  • For Printer`s
  • For Phones
  • For Wifi

How can I do this cuz when I create it all phone, printer`s and wife fall in the first policy cuz the authication policy in the 3 policy set`s is same and when they go to the authiz only the idi group which match the device will apply and another will go to the default and deny access and don’t do to the next policy sets

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to saeedabdelhalimhamada

‎02-06-2025 03:55 AM

This is not how the ISE works. Why do you think that you need three Poilicy-Sets? You can handle all your know endpoints in one Policy-Set with different AuthZ rules.

Go to solution
Aref Alsouqi
VIP
VIP

‎02-06-2025 09:32 AM

Assuming you have an authentication rule on the policy set you shared on the last screenshot that points to the internal endpoints then you just need to create the printer authorization rule in the same way you created it in the second screenshot.

You don't have to create a new policy set to each device type or for each authentication type. Usually we split the policy sets in two one for wired and one for wireless, but I would personally prefer having a single policy set and then configuring the multiple authentication and authorization rules in it.

For instance, if you are doing wired MAB for the phones and the printers then you have a single authentication rule for both, and then you create two authorization rules one pointing to the phones identity group and another pointing to the printers identity group, all within the same policy set.

Customers Also Viewed These Support Documents