08-28-2018 04:48 AM
Hello
I see these words 'Exceptions Policy" every time I configure a Policy Set, and every time I have to ask myself "what the heck are they for and when will I ever need to use them?" I thought that one could neatly express the required logic in the Policy Set as we've been doing all along?
Is there a reason to this much overlooked feature, and if so, does anyone have some examples of when they used this ? - perhaps I have been missing a trick?
I have tried to RTFM, but the Admin Guide is hopeless at this point ...
regards
Solved! Go to Solution.
08-28-2018 05:57 AM
I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs. So I will have something like:
If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures
If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures
If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures
If you use the blacklist group you could use the same logic.
If don't think I have ever had a case to use local exceptions
08-28-2018 05:57 AM
I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs. So I will have something like:
If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures
If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures
If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures
If you use the blacklist group you could use the same logic.
If don't think I have ever had a case to use local exceptions
08-28-2018 02:17 PM
08-28-2018 03:17 PM
thanks Paul. At what point do these exceptions get processed (before or after the other stuff)?
If one can apply logic globally then it presumes that the environment is probably from one vendor only? I guess that makes life easier.
Designing Policy Sets can be a bit of an art because there are so many ways to achieve the same result. I try to keep efficiency at the top of my priorities list, and then after that, readability. e.g. in a multi-vendor deployment where the radius attributes vary wildly and I cannot rely on device profiles, I tend to create a PolicySet for Wireless 802.1X, and one for Wireless MAB, Wired 802.1X, etc. - and in those Policy Sets I would have Authorization Rules per-vendor (using Device Type).
I was hoping that if took a step back and looked at it all, I might spot something that all of these Policy Sets had in common, and then apply one of these Exceptions.
I'll have to try this in the lab some time.
08-28-2018 03:22 PM
08-28-2018 03:24 PM - edited 08-28-2018 03:25 PM
My experience with global exceptions was brief but impactful. 600,000+ latency induced radius drops a day for the brief period it was enabled trying to do quarantine actions with stealthwatch. Oddly enough, no users complained, we have had it off on that deployment ever since. Test round two coming soon.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide