cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1357
Views
10
Helpful
5
Replies
Arne Bier
VIP Advisor

Local Exceptions Policy or Global Exceptions Policy - is there a good use case?

Hello

 

I see these words 'Exceptions Policy" every time I configure a Policy Set, and every time I have to ask myself "what the heck are they for and when will I ever need to use them?"  I thought that one could neatly express the required logic in the Policy Set as we've been doing all along?

Is there a reason to this much overlooked feature, and if so, does anyone have some examples of when they used this ? - perhaps I have been missing a trick?

 

I have tried to RTFM, but the Admin Guide is hopeless at this point ...

 

regards

1 ACCEPTED SOLUTION

Accepted Solutions
paul
Advocate

I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs.  So I will have something like:

 

If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures

If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures

If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures

 

If you use the blacklist group you could use the same logic.

 

If don't think I have ever had a case to use local exceptions

View solution in original post

5 REPLIES 5
paul
Advocate

I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs.  So I will have something like:

 

If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures

If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures

If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures

 

If you use the blacklist group you could use the same logic.

 

If don't think I have ever had a case to use local exceptions

Yup, same, I’ve only had the chance to use it once, with a Rapid Threat Detection bit of integration and some Quarantine rules based on input from pxGrid.

thanks Paul.  At what point do these exceptions get processed (before or after the other stuff)?

 

If one can apply logic globally then it presumes that the environment is probably from one vendor only?  I guess that makes life easier.

 

Designing Policy Sets can be a bit of an art because there are so many ways to achieve the same result.  I try to keep efficiency at the top of my priorities list, and then after that, readability.  e.g. in a multi-vendor deployment where the radius attributes vary wildly and I cannot rely on device profiles, I tend to create a PolicySet for Wireless 802.1X, and one for Wireless MAB, Wired 802.1X, etc.  - and in those Policy Sets I would have Authorization Rules per-vendor (using Device Type).

I was hoping that if  took a step back and looked at it all, I might spot something that all of these Policy Sets had in common, and then apply one of these Exceptions.

 

I'll have to try this in the lab some time.

I believe they are processed like they appear in the policy set:


Local Exceptions

Global Exceptions

Authorization Policies



I am very granular in my policy sets. Wired MAB, Wired Dot1x, each SSID has their own policy set, each VPN type has its own policy. Individual use case policy sets make the ISE configuration easier to digest. There aren't a ton of cross over policies in my rule set outside of ANC and Blacklist stuff.


Damien Miller
VIP Advisor

My experience with global exceptions was brief but impactful.  600,000+ latency induced radius drops a day for the brief period it was enabled trying to do quarantine actions with stealthwatch.  Oddly enough, no users complained, we have had it off on that deployment ever since.  Test round two coming soon.  

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube