Cisco ISE Identity Services Engine Policies

ise policies

 

What is Cisco ISE Identity Service Engine? Cisco ISE is simply two core components of Policies.

-Policy Sets

-Policy Elements

Policy Set is a group of Authentication Policies and Authorization Policies, the concept of Policy Set is very intuitive for an administrator, you can organize your AuthC and AuthZ policies in a fashion way so that you can troubleshoot and manage easily your policies.

For example you can put all Authentication and Authorization policies related to wired connections, those related to wireless connections and those related to VPN connection in a separate Policy Set, simply a Policy Set is a container of multiple Authentication and Authorization Policies

The logic of a policy, either a Policy Set or Authentication Policy or Authorization policy, is based on the formula: ” If Condition then Results ”

No where can we get these conditions and resuts to build your own Policy?

The Answer is ” Policy Elements”.

In Policy Elements you find the Condition and Results or Permissions. You can create your own condition rule and result, or you can use the pre-built conditions and results created by Cisco ISE.

Now how to create multiple Policy Set?

The best practice for example is to manage the wired dot1X and MAB connections, and wireless dot1X and MAB connections separately.

For ISE to be aware if this connection is a wired or wireless, you can play with the Device Type Attribute.

What is the Device Type?

The Device Type attribute is an information that you created according to your business needs.

Let’s say you have a group of Switches and a group of Wireless Controllers, in the ISE language, we call them NAD, that stands for Network Access Device, it is recommended to organize your NADs in the ISE according the Device Type, this looks like a familly of products.

For example, you can create a Device Type named SWITCHES and another Device Type named CONTROLLERS, then when you add your NAD in the ISE, among the informations that you need to enter such as the hostname of the NAD, the IP Address, the Radius secret key, there a field called Device Type, here you select the previously and the appropriate Device Type.

Hostname: SW-1

IP Address: 10.1.1.10

Device Type: SWITCHES

Hostname: WLC

IP Address: 10.1.1.11

Device Type CONTROLLERS

Then the magic comes, you create two policy sets as follow

For wired connection:

Policy Set: Wired-Set

Condition: If Device Type equal SWITCHES

Then Results: default Network Access

For wireless connection:

Policy Set: Wireless-Set

Condition: If Device Type equal CONTROLLERS

Then Results: default Network Access

Now when the switch 10.1.1.10 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.10, ISE extracts the IP address 10.1.1.10 and looks in the list of the NADs in its database, it finds a NAD named SW-1 with IP Address 10.1.1.10

with Device Type Attribute SWITCHES and concludes that OK this is a wired connection, and the Policy Set that will processes it is Wired-Set.

When the Controller 10.1.1.11 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.11, ISE extracts the IP address 10.1.1.11 and looks in the list of the NADs in its database, it finds a NAD named WLC with IP Address 10.1.1.11

with Device Type Attribute CONTROLLERS and concludes that OK this is a wireless connection, and the Policy Set that will processes it, is Wireless-Set.

After a Policy Set is matched, the packet is procesed by the Authentication Policies and Authorization Policies that you created under the matched Policy Set.

Published by:

Redouane MEDDANE

Redouane MEDDANE is Cisco Instructor CCSI #35458, 3xCCNP Collaboration, Security and Enterprise and he a published author of some of the most important OSPF Protocol, Security and Collaboration books in the world titled OSPF Demystified With RFC, Network Security All-in-one, and Dial Plan and Call Routing Demystified on CUCM. He is also a blogger at ipdemystify.com and writes articles about collaboration and security to demystify the most complex topics. His books are known for their technical depth and accuracy especially the OSPF Demystified With RFC book, which is considered as the best OSPF book in the world and named "One of the best OSPF ebooks of all time" by BookAuthority It gives you a hint at the ability to explain complex topics with remarkable ease. He worked as a Cisco Instructor and consultant indifferent Cisco Learning Partner and awarded twice as Cisco Distinguished Instructor Award and Cisco Security Instructor Excellence Award on 2018 and 2019, and Cisco Collaboration Instructor Excellence Award on 2020. The Distinguished Instructor Award recognizes the top 5% of Cisco's most influential CCSI's who provide the highest quality training experience and demonstrate the best overall instructor performance across multiple Cisco technologie and Instructor Excellence Award recognizes the top 25% of elite CCSIs being recognized for delivering top quality training and maintaining high customer satisfaction in their field of expertise.

Categories SecurityLeave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s