Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
731
Views
5
Helpful
6
Replies

ISE V3.2 How can I change the Default Authentication Policy

Gehrig_W
Level 1
Level 1

‎11-27-2024 12:36 AM - edited ‎11-27-2024 12:36 AM

Hello Cisco ISE experts,

I'm new to Cisco ISE V3.2 and I'm struggling with Policy Sets and the embedded "Default"- Authentication Policy.

To make the output of Radius Live Log more meaningful, I would like to replace the word "Default" in the according policy set with a more meaningful string like "MAC-Check Internal Endpoints".

Gehrig_W_1-1732696032411.png

But I cannot find the Editor Button for this within the Ruleset Editor page.

I have also tried to add a second Authentication Policy Rule with a more meaningful Rule Name in front of the "Default" Authentication Policy with same Use Parameters, but receive the following cryptic error-message in that case.

Gehrig_W_0-1732695816526.pngInternal Check of MAC-Address - could not be saved.
Rule Condition is not properly configured for rule: Internal Check of MAC-Address

Obviously I do not understand the concept behind this "Default" very well.

Who knows how I can substitute this sucking "Default" with a more meanful expression ?

Gehrig_W_2-1732696325662.png

Thank You in advance

Greetings from Frankonia

Wini

Prime V3.10.4 and ISE V.3.2 (formerly V2.4)

 

 

 

 

 

 

0 Helpful
6 Replies 6

Greg Gibbs
Cisco Employee
Cisco Employee

‎11-27-2024 06:31 PM

You cannot change the name of the Default rule. You would need to create a rule above it that matches your session criteria.

The whole point of the Default rule is that it is the one hit when none of your specific configured rules are hit.

Gehrig_W
Level 1
Level 1
In response to Greg Gibbs

‎11-29-2024 12:12 AM - edited ‎11-29-2024 12:13 AM

Hello Greg,

thank You for Your reply.

I already tried to create a rule above the default rule with meaningful title and same settings as the Default rule as You can see from my attached screenshot. Unfortunately I receive the following error-message:

Internal Check of MAC-Address - could not be saved.
Rule Condition is not properly configured for rule: Internal Check of MAC-Address

In the Cisco Press book for ISE I can see that initally there are three possible options here:

- MAB    -Dot1x and -Default

Also the following Guide shows these three option in V2.4:

https://community.cisco.com/t5/security-knowledge-base/ise-authentication-and-authorization-policy-reference/ta-p/3850472#toc-hId-1207799424

Gehrig_W_0-1732867903531.png

 

How can I change from Default to MAB instead in an already defined ruleset ?

Thank You for Yor help

Kind regards

Wini

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Gehrig_W

‎11-29-2024 12:37 AM

can you share policy set 

MHM

0 Helpful

Gehrig_W
Level 1
Level 1
In response to MHM Cisco World

‎11-29-2024 01:09 AM

Hello Cisco ISE Support
how can I change the “Default” Authentication Policy within this Policy to a more meaningful Rule Name.
Wetalk about MAB Authnetication Bypass in this case and would like to use WLAN iPSK to allow IoT-devices to authenticate by checking their MAC-adresses.
[cid:image001.jpg@01DB4246.BC833160]

Thank You for Your help

Kind regards

Wini

MHM Cisco World
VIP
VIP
In response to Gehrig_W

‎11-29-2024 12:48 PM

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216130-configure-catalyst-9800-wlc-ipsk-with-ci.html

below how you can use ipsk,

we dont use MAB for ipsk we but we use mac in authz/authc policy 

MHM

0 Helpful

Peter Koltl
Level 7
Level 7

‎11-30-2024 12:43 PM

You cannot save the new rule without adding a condition. Try Wireless_MAB.

Customers Also Viewed These Support Documents
Top