Solved: Local Exceptions Policy or Global Exceptions Policy - is there a good use case?

Arne Bier · ‎08-28-2018

Hello

I see these words 'Exceptions Policy" every time I configure a Policy Set, and every time I have to ask myself "what the heck are they for and when will I ever need to use them?" I thought that one could neatly express the required logic in the Policy Set as we've been doing all along?

Is there a reason to this much overlooked feature, and if so, does anyone have some examples of when they used this ? - perhaps I have been missing a trick?

I have tried to RTFM, but the Admin Guide is hopeless at this point ...

regards

paul · ‎08-28-2018

I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs. So I will have something like:

If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures

If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures

If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures

If you use the blacklist group you could use the same logic.

If don't think I have ever had a case to use local exceptions

View solution in original post

paul · ‎08-28-2018

I use Global Exception policies for my ANC polices because that way they apply to all my policy sets, VPN, wired and all my wireless SSIDs. So I will have something like:

If Device type is Switch and ANC Policy is Quarantine then apply appropriate measures

If Device type is ASA and ANC Policy is Quarantine then apply appropriate measures

If Device type is WLC and ANC Policy is Quarantine then apply appropriate measures

If you use the blacklist group you could use the same logic.

If don't think I have ever had a case to use local exceptions

RichardAtkin · ‎08-28-2018

Yup, same, I’ve only had the chance to use it once, with a Rapid Threat Detection bit of integration and some Quarantine rules based on input from pxGrid.

Arne Bier · ‎08-28-2018

thanks Paul. At what point do these exceptions get processed (before or after the other stuff)?

If one can apply logic globally then it presumes that the environment is probably from one vendor only? I guess that makes life easier.

Designing Policy Sets can be a bit of an art because there are so many ways to achieve the same result. I try to keep efficiency at the top of my priorities list, and then after that, readability. e.g. in a multi-vendor deployment where the radius attributes vary wildly and I cannot rely on device profiles, I tend to create a PolicySet for Wireless 802.1X, and one for Wireless MAB, Wired 802.1X, etc. - and in those Policy Sets I would have Authorization Rules per-vendor (using Device Type).

I was hoping that if took a step back and looked at it all, I might spot something that all of these Policy Sets had in common, and then apply one of these Exceptions.

I'll have to try this in the lab some time.

paul · ‎08-28-2018

I believe they are processed like they appear in the policy set:

Local Exceptions

Global Exceptions

Authorization Policies

I am very granular in my policy sets. Wired MAB, Wired Dot1x, each SSID has their own policy set, each VPN type has its own policy. Individual use case policy sets make the ISE configuration easier to digest. There aren't a ton of cross over policies in my rule set outside of ANC and Blacklist stuff.

Damien Miller · ‎08-28-2018

My experience with global exceptions was brief but impactful. 600,000+ latency induced radius drops a day for the brief period it was enabled trying to do quarantine actions with stealthwatch. Oddly enough, no users complained, we have had it off on that deployment ever since. Test round two coming soon.