How to delete the defaut authentication policy comes on cisco ISE

Ibrahim Jamil · ‎10-30-2017

Hello Guys

Pls see attached screen shoot

How can i delete the default authentication policy on cisco ISE

thanks

Rahul Govindan · ‎10-30-2017

You cannot. You can only change the Identity store it uses. Documented here:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0100101.html#ID1256

"For both network access and device administration, this is the default authenticaton rule that is included in every policy set you create, as well as in the system default policy set.

You can edit this policy to configure any identity source sequence or identity source based on your needs, but you cannot add conditions to it or delete it."

Why do you want to delete it? Your policy has both dot1x and mab conditions above it, all requests should hit one of those rules. Nothing should even hit that policy rule.

Francesco Molino · ‎10-30-2017

Hi

You can't delete it but you can set it to deny.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Arne Bier · ‎10-30-2017

I also found this "Default" statement annoying because there is nothing default about it - it's using the exact logic as required. i.e. If I match MAB, then I want to use Identity Store X. If I match Dot1X then I want to use Identity Store Y, etc. The problem is that the Authentication Policy output in the LiveLogs always shows the word ">> Default" at the end. It's superfluous and looks like the engineer is relying on defaults in his logic.

It's a minor annoyance.

Rahul Govindan · ‎10-30-2017

Yup, I have had the same annoyance with the name Default being the same as the identity store sub-policy under dot1x or MAB. I have not seen a use case where I have had to create another identity store policy under a dot1x or MAB Authc rule.