Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1608
Views
15
Helpful
2
Replies

Policy set flow and use option

Go to solution
naoki_Japan
Spotlight

‎10-18-2021 03:17 AM

I do not clearly the flow of policy set and the behavior of continue option.

 

1. The behavior of continue option.

After the process of getting the allowed protocol, the next step is authentication.

In the case that Wired_Dot1x condition is selected as condition and Dot1x user does not exist in the Active Directory,

if the continue option is used, the next step is authorization policy? or next is authentication policy phase?

 

 

2. the flow of policy set

 If none of authentication policies is matched with the user information, the process stop? or go to next step(I mean authorization phase)?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-18-2021 04:12 AM

if the continue option is used, the next step is authorization policy? 

-Correct, the next step would be authz policy.

 If none of authentication policies is matched with the user information, the process stop? 

-Depends on how you have the authc setup.  The authc conditions are as follows:

Each authentication policy has Options:

  • Reject: Send ‘Access-Reject’ back to the NAD
  • Continue: Continue to authorization regardless of authentication outcome
  • Drop: Drop the request and do not respond to the NAD – NAD will treat as if RADIUS server is dead

The screenshot shared below is from this guide: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community in this section: Authoring Access Policies on ISE.  Here is another valuable resource: ISE Authentication and Authorization Policy Reference - Cisco Community

 

ise_auth_flow.PNG

HTH!

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-18-2021 04:12 AM

if the continue option is used, the next step is authorization policy? 

-Correct, the next step would be authz policy.

 If none of authentication policies is matched with the user information, the process stop? 

-Depends on how you have the authc setup.  The authc conditions are as follows:

Each authentication policy has Options:

  • Reject: Send ‘Access-Reject’ back to the NAD
  • Continue: Continue to authorization regardless of authentication outcome
  • Drop: Drop the request and do not respond to the NAD – NAD will treat as if RADIUS server is dead

The screenshot shared below is from this guide: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community in this section: Authoring Access Policies on ISE.  Here is another valuable resource: ISE Authentication and Authorization Policy Reference - Cisco Community

 

ise_auth_flow.PNG

HTH!

Go to solution
naoki_Japan
Spotlight

‎10-18-2021 05:54 PM

the information you gave me is very helpful. Thanks a lot!

Top