Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
10
Helpful
4
Replies

How to configure to process policy set by policy set at ISE 3.0

Go to solution
journey jane
Level 1
Level 1

‎01-06-2023 08:13 PM

Hello all,

Let me ask some helps regarding ISE multiple policy set, i'm trying to configure my policy sets to get segregate for each.

For example, we have two policy set as (Building1st-Posture-PolicySet and Building2nd-Posture-PolicySet)

For each policy set, i have authorization and authentication policies for multiple departments. As i expected is 'If user not found at Building2nd-Posture-PolicySet and it should not meeting with any authorization profile and it should go on to check user at Building1st-Posture-PolicySet and apply authorization profile accordingly but it does not work as expected and if user not found at Building2nd-Posture-PolicySet, it get reject with Default-Deny of Authorization policy of Building2nd-Posture-PolicySet and did not continue to process top-to-down until Building1st-Posture-PolicySet. So, all of users who are at Building1st-Posture-PolicySet get Deny.

How can i configure to process top-to-down policy set by policy set? Is there anyone experienced about that? Thanks.

journeyjane_0-1673064606384.pngjourneyjane_1-1673064647980.png

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-07-2023 12:36 AM

@journey jane at present the conditions to match the Policy Sets are identical (Wired Dot1x and Wired MAB). You need to distinguish between them with an additional unique condition. You can group the NAD (switches) for each building in to a different Network Device Group (NDG) and use this in the policy set to distinguish between the different connection requests depending where they are coming from.

I personally would just combine those 2 Policy Sets  into 1 and use the different conditions within the authorisation rules to achieve the same result.

View solution in original post

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎01-07-2023 08:43 AM

Hello @journey jane , the approach that I would take is to add an extra condition within the couple of policy sets that you have created in order to differentiate if the request is coming from building 1 or 2, the easiest way it would be if you create a device group and involves all the NAD that you have in building 1 and then use a condition like the one below ( notice that instead of SWITCH it would have to be the NAD group of building 1) ,

RodrigoDiaz_0-1673109788249.png

for further reference : 

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_secure_wired_access.html#ID1661

 

 

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎01-07-2023 12:36 AM

@journey jane at present the conditions to match the Policy Sets are identical (Wired Dot1x and Wired MAB). You need to distinguish between them with an additional unique condition. You can group the NAD (switches) for each building in to a different Network Device Group (NDG) and use this in the policy set to distinguish between the different connection requests depending where they are coming from.

I personally would just combine those 2 Policy Sets  into 1 and use the different conditions within the authorisation rules to achieve the same result.

Go to solution
journey jane
Level 1
Level 1
In response to Rob Ingram

‎01-09-2023 09:24 PM

Thanks @Rob Ingram for the input. When i modify condition by adding devices group. it works well. 

0 Helpful

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎01-07-2023 08:43 AM

Hello @journey jane , the approach that I would take is to add an extra condition within the couple of policy sets that you have created in order to differentiate if the request is coming from building 1 or 2, the easiest way it would be if you create a device group and involves all the NAD that you have in building 1 and then use a condition like the one below ( notice that instead of SWITCH it would have to be the NAD group of building 1) ,

RodrigoDiaz_0-1673109788249.png

for further reference : 

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_secure_wired_access.html#ID1661

 

 

 

Go to solution
journey jane
Level 1
Level 1
In response to Rodrigo Diaz

‎01-09-2023 09:25 PM

Thanks @Rodrigo Diaz  for the input. When i modify condition by adding devices group as you mentioned. it works well. 

0 Helpful
Customers Also Viewed These Support Documents