Cisco ISE Global and Local Exception Authorization Policies "USE CASES " With Cisco Stealthwatch for Adaptive Network Policy ANC.

Global authorization exception policies enable you to define rules that override all authorization rules in all of your policy sets. Once you configure a global authorization exception policy, it is added to to all policy sets.

The local authorization exception rule overwrites the global exception rules. So the local exception rule is processed first, then the global exception rule, and finally, the normal rule of the authorization policy.

One of the interesting use case of these Exception Rules is when you configure Cisco Secure Network Analytics (Stealthwatch) with Cisco ISE for Response Management using Adaptive Network Policy (ANC) so that when an alarm is raised, Cisco Secure Network Analytics (Stealthwatch) will request Cisco ISE to quarantine the host with Adaptive Network Control Policy through PxGrid.

The best practice to configure the Authorization Policy on Cisco ISE to quarantine the host either in the Local Exception or Global Exception.

If you want to apply the ANC Policy to all your policy sets, VPN, wired wireless aka all wired VPN and wireless users. Use the Global Exception.

If you want to apply the ANC Policy only to VPN users or Wired users. Use the Local Policy inside the VPN Policy Sets or Wired Policy Set respectively.