This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello
I see these words 'Exceptions Policy" every time I configure a Policy Set, and every time I have to ask myself "what the heck are they for and when will I ever need to use them?" I thought that one could neatly express the required logic in the Policy Set as we've been doing all along?
Is there a reason to this much overlooked feature, and if so, does anyone have some examples of when they used this ? - perhaps I have been missing a trick?
I have tried to RTFM, but the Admin Guide is hopeless at this point ...
regards
Solved! Go to Solution.
I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs. So I will have something like:
If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures
If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures
If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures
If you use the blacklist group you could use the same logic.
If don't think I have ever had a case to use local exceptions
I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs. So I will have something like:
If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures
If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures
If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures
If you use the blacklist group you could use the same logic.
If don't think I have ever had a case to use local exceptions
thanks Paul. At what point do these exceptions get processed (before or after the other stuff)?
If one can apply logic globally then it presumes that the environment is probably from one vendor only? I guess that makes life easier.
Designing Policy Sets can be a bit of an art because there are so many ways to achieve the same result. I try to keep efficiency at the top of my priorities list, and then after that, readability. e.g. in a multi-vendor deployment where the radius attributes vary wildly and I cannot rely on device profiles, I tend to create a PolicySet for Wireless 802.1X, and one for Wireless MAB, Wired 802.1X, etc. - and in those Policy Sets I would have Authorization Rules per-vendor (using Device Type).
I was hoping that if took a step back and looked at it all, I might spot something that all of these Policy Sets had in common, and then apply one of these Exceptions.
I'll have to try this in the lab some time.
My experience with global exceptions was brief but impactful. 600,000+ latency induced radius drops a day for the brief period it was enabled trying to do quarantine actions with stealthwatch. Oddly enough, no users complained, we have had it off on that deployment ever since. Test round two coming soon.