Policy Set is a group of Authentication Policies and Authorization Policies, the concept of Policy Set is very intuitive for an administrator, you can organize your AuthC and AuthZ policies in a fashion way so that you can troubleshoot and manage easily your policies.
For example you can put all Authentication and Authorization policies related to wired connections, those related to wireless connections and those related to VPN connection in a separate Policy Set, simply a Policy Set is a container of multiple Authentication and Authorization Policies
The logic of a policy, either a Policy Set or Authentication Policy or Authorization policy, is based on the formula: ” If Condition then Results ”
No where can we get these conditions and resuts to build your own Policy?
The Answer is ” Policy Elements”.
In Policy Elements you find the Condition and Results or Permissions. You can create your own condition rule and result, or you can use the pre-built conditions and results created by Cisco ISE.
Now how to create multiple Policy Set?
The best practice for example is to manage the wired dot1X and MAB connections, and wireless dot1X and MAB connections separately.
For ISE to be aware if this connection is a wired or wireless, you can play with the Device Type Attribute.
What is the Device Type?
The Device Type attribute is an information that you created according to your business needs.
Let’s say you have a group of Switches and a group of Wireless Controllers, in the ISE language, we call them NAD, that stands for Network Access Device, it is recommended to organize your NADs in the ISE according the Device Type, this looks like a familly of products.
For example, you can create a Device Type named SWITCHES and another Device Type named CONTROLLERS, then when you add your NAD in the ISE, among the informations that you need to enter such as the hostname of the NAD, the IP Address, the Radius secret key, there a field called Device Type, here you select the previously and the appropriate Device Type.
IP Address: 10.1.1.10
Device Type: SWITCHES
IP Address: 10.1.1.11
Device Type CONTROLLERS
Then the magic comes, you create two policy sets as follow
For wired connection:
Policy Set: Wired-Set
Condition: If Device Type equal SWITCHES
Then Results: default Network Access
For wireless connection:
Policy Set: Wireless-Set
Condition: If Device Type equal CONTROLLERS
Then Results: default Network Access
Now when the switch 10.1.1.10 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.10, ISE extracts the IP address 10.1.1.10 and looks in the list of the NADs in its database, it finds a NAD named SW-1 with IP Address 10.1.1.10
with Device Type Attribute SWITCHES and concludes that OK this is a wired connection, and the Policy Set that will processes it is Wired-Set.
When the Controller 10.1.1.11 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.11, ISE extracts the IP address 10.1.1.11 and looks in the list of the NADs in its database, it finds a NAD named WLC with IP Address 10.1.1.11
with Device Type Attribute CONTROLLERS and concludes that OK this is a wireless connection, and the Policy Set that will processes it, is Wireless-Set.
After a Policy Set is matched, the packet is procesed by the Authentication Policies and Authorization Policies that you created under the matched Policy Set.
All, I know this command has been covered in a few places, but even after reading the documentation I'm confused about what it does. When enabled, does it permit the overlay (i.e. DTLS traffic and associated TLS) from Anyconnect clients towards ...
Hello,We received this critical alert today, every hour we have a new one like the below: An application fault occurred: ('egg/command_client.py send_message|556', "<class 'Commandment.CommunicationError'>", 'host: Network communication error: ...
This might be a simple question but one of our customers has an ASA 5508 with Firepower services, I've looked online and i can't quite make out when this version of hardware will stop getting software updates. EOS has already been announced.&nb...
Hello Team, if MAR Cache valid but user machine AD Password updated.. Do this PC would still be connected to the nework? or ISE will remove this PC from the network because its machine password has changed? This is genral question.. i ...