Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1393
Views
10
Helpful
5
Replies
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor
‎08-28-2018 04:48 AM
‎08-28-2018 04:48 AM

Local Exceptions Policy or Global Exceptions Policy - is there a good use case?

Hello

 

I see these words 'Exceptions Policy" every time I configure a Policy Set, and every time I have to ask myself "what the heck are they for and when will I ever need to use them?"  I thought that one could neatly express the required logic in the Policy Set as we've been doing all along?

Is there a reason to this much overlooked feature, and if so, does anyone have some examples of when they used this ? - perhaps I have been missing a trick?

 

I have tried to RTFM, but the Admin Guide is hopeless at this point ...

 

regards

0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
paul
Advocate
Advocate
‎08-28-2018 05:57 AM
‎08-28-2018 05:57 AM

I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs.  So I will have something like:

 

If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures

If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures

If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures

 

If you use the blacklist group you could use the same logic.

 

If don't think I have ever had a case to use local exceptions

View solution in original post

5 REPLIES 5
paul
Advocate
Advocate
‎08-28-2018 05:57 AM
‎08-28-2018 05:57 AM

I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs.  So I will have something like:

 

If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures

If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures

If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures

 

If you use the blacklist group you could use the same logic.

 

If don't think I have ever had a case to use local exceptions

RichardAtkin
Participant
Participant
In response to paul
‎08-28-2018 02:17 PM
‎08-28-2018 02:17 PM

Yup, same, I’ve only had the chance to use it once, with a Rapid Threat Detection bit of integration and some Quarantine rules based on input from pxGrid.
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor
In response to paul
‎08-28-2018 03:17 PM
‎08-28-2018 03:17 PM

thanks Paul.  At what point do these exceptions get processed (before or after the other stuff)?

 

If one can apply logic globally then it presumes that the environment is probably from one vendor only?  I guess that makes life easier.

 

Designing Policy Sets can be a bit of an art because there are so many ways to achieve the same result.  I try to keep efficiency at the top of my priorities list, and then after that, readability.  e.g. in a multi-vendor deployment where the radius attributes vary wildly and I cannot rely on device profiles, I tend to create a PolicySet for Wireless 802.1X, and one for Wireless MAB, Wired 802.1X, etc.  - and in those Policy Sets I would have Authorization Rules per-vendor (using Device Type).

I was hoping that if  took a step back and looked at it all, I might spot something that all of these Policy Sets had in common, and then apply one of these Exceptions.

 

I'll have to try this in the lab some time.

0 Helpful
paul
Advocate
Advocate
In response to Arne Bier
‎08-28-2018 03:22 PM
‎08-28-2018 03:22 PM

I believe they are processed like they appear in the policy set:


Local Exceptions

Global Exceptions

Authorization Policies



I am very granular in my policy sets. Wired MAB, Wired Dot1x, each SSID has their own policy set, each VPN type has its own policy. Individual use case policy sets make the ISE configuration easier to digest. There aren't a ton of cross over policies in my rule set outside of ANC and Blacklist stuff.


0 Helpful
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎08-28-2018 03:24 PM
‎08-28-2018 03:24 PM

My experience with global exceptions was brief but impactful.  600,000+ latency induced radius drops a day for the brief period it was enabled trying to do quarantine actions with stealthwatch.  Oddly enough, no users complained, we have had it off on that deployment ever since.  Test round two coming soon.  

0 Helpful
Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube