02-28-2024 06:56 AM
Hi,
Is it best practice to create a seperate profile for each authentication and authorisation that you do? For example I'm first authenticating the PC and pushing a DACL to the switch to only allow AD access. Would I also create the user profile for Authentication and authorhorisation under this same profile or create a new seperate profile?
Solved! Go to Solution.
02-28-2024 02:15 PM - edited 02-28-2024 02:15 PM
Writing any ISE Policy Set is a bit like writing a computer program. There are 100 different ways to achieve the same goal. And at the outset, you may not know how best to do it (yet) because you haven't quite discovered all the requirements and subtleties in your environment.
My high level aim in a Policy Set is to at least create one Policy Set for
Of course, only implement the ones that are used in your environment - but if I had all of the above, then I would create those main Policy Sets.
The reason for my suggested structure is that this creates
Within each Policy Set, create the appropriate Authentication and Authorization Rules - try to develop a common Naming Convention (that can come with practice) to make everything self-documenting and easy to read in Live Logs / Reports.
I also tend to make unique Authorization Profile Results (even if they are a clone based on other Results) - the naming is unique and makes it easier to filter in Live Logs. I go down to the level of making my dACLs unique as well - that has the benefit of seeing those unique names in the "show ip access-list" on the IOS devices - makes verification and troubleshooting easier.
Sounds like a lot of work? Maybe - but with practice it's not that that hard. It's more of a discipline that you have to adopt. And the effort you put in upfront will pay off for years to come.
02-28-2024 07:07 AM
Depends exactly on your use-case. What exactly do you mean by "profile"? An authz policy/result?
02-28-2024 07:23 AM
Hi, yes a policy sorry is what I meant.
02-28-2024 02:15 PM - edited 02-28-2024 02:15 PM
Writing any ISE Policy Set is a bit like writing a computer program. There are 100 different ways to achieve the same goal. And at the outset, you may not know how best to do it (yet) because you haven't quite discovered all the requirements and subtleties in your environment.
My high level aim in a Policy Set is to at least create one Policy Set for
Of course, only implement the ones that are used in your environment - but if I had all of the above, then I would create those main Policy Sets.
The reason for my suggested structure is that this creates
Within each Policy Set, create the appropriate Authentication and Authorization Rules - try to develop a common Naming Convention (that can come with practice) to make everything self-documenting and easy to read in Live Logs / Reports.
I also tend to make unique Authorization Profile Results (even if they are a clone based on other Results) - the naming is unique and makes it easier to filter in Live Logs. I go down to the level of making my dACLs unique as well - that has the benefit of seeing those unique names in the "show ip access-list" on the IOS devices - makes verification and troubleshooting easier.
Sounds like a lot of work? Maybe - but with practice it's not that that hard. It's more of a discipline that you have to adopt. And the effort you put in upfront will pay off for years to come.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide