Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
1
Helpful
3
Replies

ISE Profiles Best Practice

Go to solution
alliasneo1
Level 1
Level 1

‎02-28-2024 06:56 AM

Hi,

Is it best practice to create a seperate profile for each authentication and authorisation that you do? For example I'm first authenticating the PC and pushing a DACL to the switch to only allow AD access. Would I also create the user profile for Authentication and authorhorisation under this same profile or create a new seperate profile?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎02-28-2024 02:15 PM - edited ‎02-28-2024 02:15 PM

Writing any ISE Policy Set is a bit like writing a computer program. There are 100 different ways to achieve the same goal. And at the outset, you may not know how best to do it (yet) because you haven't quite discovered all the requirements and subtleties in your environment.

My high level aim in a Policy Set is to at least create one Policy Set for

  • Wired MAB
  • Wired 802.1X
  • Wireless MAB (mostly Guest Wi-Fi and some iPSK)
  • Wireless 802.1X (one Policy Set per SSID to keep things separate)

Of course, only implement the ones that are used in your environment - but if I had all of the above, then I would create those main Policy Sets.  

The reason for my suggested structure is that this creates

  • Clean separation of duties
  • Optimal processing - we should strive to only test conditions at the start (e.g. overall Policy Set condition) and then no need to test again in AuthN and AuthZ.  I see this time and time again - people lump MAB and Wired and Wireless 802.1X into one jumbo Policy and then forevermore check in each Rule whether it's MAB or 802.1X - it's terrible. And it's how a bad programmer would write their code too.

Within each Policy Set, create the appropriate Authentication and Authorization Rules - try to develop a common Naming Convention (that can come with practice) to make everything self-documenting and easy to read in Live Logs / Reports.

I also tend to make unique Authorization Profile Results (even if they are a clone based on other Results) - the naming is unique and makes it easier to filter in Live Logs. I go down to the level of making my dACLs unique as well - that has the benefit of seeing those unique names in the "show ip access-list" on the IOS devices - makes verification and troubleshooting easier. 

Sounds like a lot of work? Maybe - but with practice it's not that that hard. It's more of a discipline that you have to adopt. And the effort you put in upfront will pay off for years to come. 

 

View solution in original post

3 Replies 3

Go to solution
ahollifield
VIP
VIP

‎02-28-2024 07:07 AM

Depends exactly on your use-case.  What exactly do you mean by "profile"?  An authz policy/result?  

Cisco ISE & NAC Resources - Cisco Community

https://community.cisco.com/t5/security-knowledge-base/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful

Go to solution
alliasneo1
Level 1
Level 1
In response to ahollifield

‎02-28-2024 07:23 AM

Hi, yes a policy sorry is what I meant.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎02-28-2024 02:15 PM - edited ‎02-28-2024 02:15 PM

Writing any ISE Policy Set is a bit like writing a computer program. There are 100 different ways to achieve the same goal. And at the outset, you may not know how best to do it (yet) because you haven't quite discovered all the requirements and subtleties in your environment.

My high level aim in a Policy Set is to at least create one Policy Set for

  • Wired MAB
  • Wired 802.1X
  • Wireless MAB (mostly Guest Wi-Fi and some iPSK)
  • Wireless 802.1X (one Policy Set per SSID to keep things separate)

Of course, only implement the ones that are used in your environment - but if I had all of the above, then I would create those main Policy Sets.  

The reason for my suggested structure is that this creates

  • Clean separation of duties
  • Optimal processing - we should strive to only test conditions at the start (e.g. overall Policy Set condition) and then no need to test again in AuthN and AuthZ.  I see this time and time again - people lump MAB and Wired and Wireless 802.1X into one jumbo Policy and then forevermore check in each Rule whether it's MAB or 802.1X - it's terrible. And it's how a bad programmer would write their code too.

Within each Policy Set, create the appropriate Authentication and Authorization Rules - try to develop a common Naming Convention (that can come with practice) to make everything self-documenting and easy to read in Live Logs / Reports.

I also tend to make unique Authorization Profile Results (even if they are a clone based on other Results) - the naming is unique and makes it easier to filter in Live Logs. I go down to the level of making my dACLs unique as well - that has the benefit of seeing those unique names in the "show ip access-list" on the IOS devices - makes verification and troubleshooting easier. 

Sounds like a lot of work? Maybe - but with practice it's not that that hard. It's more of a discipline that you have to adopt. And the effort you put in upfront will pay off for years to come. 

 

Customers Also Viewed These Support Documents