cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Demystifying Cisco ISE Identity Services Engine Policies

600
Views
0
Helpful
0
Comments
meddane
Frequent Contributor

Capture.PNG

 Cisco ISE has two core components of Policies.

-Policy Sets

-Policy Elements

Policy Set is a group of Authentication Policies and Authorization Policies, the concept of Policy Set is very intuitive for an administrator, you can organize your AuthC and AuthZ policies in a fashion way so that you can troubleshoot and manage easily your policies.

For example you can put all Authentication and Authorization policies related to wired connections, those related to wireless connections and those related to VPN connection in a separate Policy Set, simply a Policy Set is a container of multiple Authentication and Authorization Policies

The logic of a policy, either a Policy Set or Authentication Policy or Authorization policy, is based on the formula: ” If Condition then Results ”

No where can we get these conditions and resuts to build your own Policy?

The Answer is ” Policy Elements”.

In Policy Elements you find the Condition and Results or Permissions. You can create your own condition rule and result, or you can use the pre-built conditions and results created by Cisco ISE.

Now how to create multiple Policy Set?

The best practice for example is to manage the wired dot1X and MAB connections, and wireless dot1X and MAB connections separately.

For ISE to be aware if this connection is a wired or wireless, you can play with the Device Type Attribute.

What is the Device Type?

The Device Type attribute is an information that you created according to your business needs.

Let’s say you have a group of Switches and a group of Wireless Controllers, in the ISE language, we call them NAD, that stands for Network Access Device, it is recommended to organize your NADs in the ISE according the Device Type, this looks like a familly of products.

For example, you can create a Device Type named SWITCHES and another Device Type named CONTROLLERS, then when you add your NAD in the ISE, among the informations that you need to enter such as the hostname of the NAD, the IP Address, the Radius secret key, there a field called Device Type, here you select the previously and the appropriate Device Type.

Hostname: SW-1

IP Address: 10.1.1.10

Device Type: SWITCHES

Hostname: WLC

IP Address: 10.1.1.11

Device Type CONTROLLERS

Then the magic comes, you create two policy sets as follow

For wired connection:

Policy Set: Wired-Set

Condition: If Device Type equal SWITCHES

Then Results: default Network Access

For wireless connection:

Policy Set: Wireless-Set

Condition: If Device Type equal CONTROLLERS

Then Results: default Network Access

Now when the switch 10.1.1.10 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.10, ISE extracts the IP address 10.1.1.10 and looks in the list of the NADs in its database, it finds a NAD named SW-1 with IP Address 10.1.1.10

with Device Type Attribute SWITCHES and concludes that OK this is a wired connection, and the Policy Set that will processes it is Wired-Set.

When the Controller 10.1.1.11 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.11, ISE extracts the IP address 10.1.1.11 and looks in the list of the NADs in its database, it finds a NAD named WLC with IP Address 10.1.1.11

with Device Type Attribute CONTROLLERS and concludes that OK this is a wireless connection, and the Policy Set that will processes it, is Wireless-Set.

After a Policy Set is matched, the packet is procesed by the Authentication Policies and Authorization Policies that you created under the matched Policy Set.

Create
Recognize Your Peers
Content for Community-Ad