Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
75
Views
0
Helpful
1
Replies

Testing Internet Access Policies in Secure Access Dashboard

karthik-venkataraman
Community Member

‎07-15-2025 08:38 AM

Hey Techies,

Is there a way to test Internet Access policies within the Secure Access dashboard?

I'm looking for something similar to the Policy Tester feature in Cisco Umbrella, which allows us to validate WEB/DNS policies.

Appreciate your guidance—thanks in advance!

Labels:
0 Helpful
1 Reply 1

wajidhassan
Level 4
Level 4

‎07-16-2025 08:46 AM

Yes, you can test Internet Access Policies in Cisco ISE (Identity Services Engine), but it’s a bit different from Cisco Umbrella’s Policy Tester feature. Cisco ISE doesn’t have a direct "Policy Tester" like Umbrella, but you can use the following methods to test and validate Internet Access policies or authentication/authorization policies within the Secure Access dashboard.

1. Using the Authentication and Authorization Policy Testing
In Cisco ISE, you can test your authentication and authorization policies through the Policy Testing feature. This feature isn't as granular as Umbrella's DNS/Web policy testing but allows you to validate if an endpoint (user or device) matches the policies for network access.

Here’s how to use it:

Steps:
Navigate to ISE Admin Portal: Log into your ISE admin interface.

Go to the Policy Tab:

Choose Policy > Policy Testing under the Policy menu.

Enter Testing Information:

You’ll need to enter details about the username, MAC address, or IP address of the endpoint you want to test.

Select the Authentication and Authorization policies you want to validate.

Test the Policy:

Click "Test" to validate if the policies for authentication and access are applied correctly.

This will give you a real-time response of whether the policies are matching and will show any attributes that were assigned (e.g., VLAN, access control lists, etc.).

Limitations:
This doesn’t provide direct testing for Internet Access policies, but you can test authentication and authorization policies that typically affect network access and may include Internet access rules depending on your ISE setup.

2. Simulating Endpoints via pxGrid or REST API
Another way to validate Internet access policies is by simulating endpoints through pxGrid or REST API.

If your goal is to test how policies behave for specific endpoints:

pxGrid can give you visibility into the live session and how users or devices are being assigned policies.

You can create a script or API request that triggers the necessary events to simulate access requests, which will help ensure that the Internet access policies are being applied based on conditions like role, location, or device type.

Example with REST API:
You can use the ISE REST API to fetch the session details, and check if the policy was applied correctly based on user/device conditions.

bash

curl -k -u 'admin:password' -X GET "https://ise.example.com:9060/ers/config/endpoint"


3. ISE Logs and Live Sessions
If you are specifically concerned about Internet access (like web access) after authentication, you could look at the live logs or session information.

Navigate to Operations > Live Logs to review authentication logs for any connection requests.

Check whether web access (DNS, HTTP, HTTPS traffic) is allowed based on the authorization policy (e.g., allowing access to the internet or specific subnets).

You could also check Session Information for details on what policies were applied for a particular session.

4. Using Cisco AnyConnect or CWA (Clientless Web Access) for Testing
If you’re testing VPN or web portal access based Internet policies:

Cisco AnyConnect client can be used to simulate different user roles and validate how access control policies are enforced.

CWA (Clientless Web Access) can be used to test web access-based Internet policies and see how the portal controls users, redirects, and applies web access policies.

5. Integration with Cisco Umbrella for DNS/Web Access Control
If your Internet Access policies involve DNS filtering (as in Umbrella) or web filtering, you can integrate Cisco Umbrella with ISE. You can then leverage the Umbrella Dashboard to test DNS/Web access control policies, similar to the Umbrella Policy Tester.

6. Third-Party Testing Solutions
If none of the above methods provide the exact type of testing you're looking for, you could consider integrating with third-party network monitoring or testing tools like Wireshark, Telerik Fiddler, or Postman for API testing. These can simulate traffic based on the network conditions and policies, and provide deeper insights.

Summary
While Cisco ISE doesn’t have an exact Policy Tester like Cisco Umbrella, you can:

Use ISE Policy Testing to validate authentication and authorization rules.

Leverage pxGrid or REST API for detailed testing of endpoint and session information.

Check ISE logs or Live Session data for real-time policy matches.

Simulate web-based access using Cisco AnyConnect or Clientless Web Access.

0 Helpful
Customers Also Viewed These Support Documents