What is Cisco ISE Identity Service Engine? Cisco ISE is simply two core components of Policies.
-Policy Sets
-Policy Elements
Policy Set is a group of Authentication Policies and Authorization Policies, the concept of Policy Set is very intuitive for an administrator, you can organize your AuthC and AuthZ policies in a fashion way so that you can troubleshoot and manage easily your policies.
For example you can put all Authentication and Authorization policies related to wired connections, those related to wireless connections and those related to VPN connection in a separate Policy Set, simply a Policy Set is a container of multiple Authentication and Authorization Policies
The logic of a policy, either a Policy Set or Authentication Policy or Authorization policy, is based on the formula: ” If Condition then Results ”
No where can we get these conditions and resuts to build your own Policy?
The Answer is ” Policy Elements”.
In Policy Elements you find the Condition and Results or Permissions. You can create your own condition rule and result, or you can use the pre-built conditions and results created by Cisco ISE.
Now how to create multiple Policy Set?
The best practice for example is to manage the wired dot1X and MAB connections, and wireless dot1X and MAB connections separately.
For ISE to be aware if this connection is a wired or wireless, you can play with the Device Type Attribute.
What is the Device Type?
The Device Type attribute is an information that you created according to your business needs.
Let’s say you have a group of Switches and a group of Wireless Controllers, in the ISE language, we call them NAD, that stands for Network Access Device, it is recommended to organize your NADs in the ISE according the Device Type, this looks like a familly of products.
For example, you can create a Device Type named SWITCHES and another Device Type named CONTROLLERS, then when you add your NAD in the ISE, among the informations that you need to enter such as the hostname of the NAD, the IP Address, the Radius secret key, there a field called Device Type, here you select the previously and the appropriate Device Type.
Hostname: SW-1
IP Address: 10.1.1.10
Device Type: SWITCHES
Hostname: WLC
IP Address: 10.1.1.11
Device Type CONTROLLERS
Then the magic comes, you create two policy sets as follow
For wired connection:
Policy Set: Wired-Set
Condition: If Device Type equal SWITCHES
Then Results: default Network Access
For wireless connection:
Policy Set: Wireless-Set
Condition: If Device Type equal CONTROLLERS
Then Results: default Network Access
Now when the switch 10.1.1.10 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.10, ISE extracts the IP address 10.1.1.10 and looks in the list of the NADs in its database, it finds a NAD named SW-1 with IP Address 10.1.1.10
with Device Type Attribute SWITCHES and concludes that OK this is a wired connection, and the Policy Set that will processes it is Wired-Set.
When the Controller 10.1.1.11 sent a radius access-request packet with NAS-IP-Address Attribute 10.1.1.11, ISE extracts the IP address 10.1.1.11 and looks in the list of the NADs in its database, it finds a NAD named WLC with IP Address 10.1.1.11
with Device Type Attribute CONTROLLERS and concludes that OK this is a wireless connection, and the Policy Set that will processes it, is Wireless-Set.
After a Policy Set is matched, the packet is procesed by the Authentication Policies and Authorization Policies that you created under the matched Policy Set.
Demystify and Simplify 