Page 1 of 11

Lab 3: Conversion to Policy Sets

Lab Overview
In this lab, you will convert Cisco ISE from a normal policy model to a policy set model. Policy sets enable you to logically group authentication and
authorization policies within a single set name. They enable you to create policies based on location, access type, or other similar parameters based on your
organizational needs. Policy sets are evaluated in a first match top down mode.

Estimated Completion Time

60 minutes

Lab Procedures
• Examine the Current Authentication and Authorization Policies

• Convert to Policy Sets

• Add Network Devices and Create Policy Sets

• Work with Global Exceptions

Perform Only If You Have Done a Reset

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are accessing the system after you have attended the 5
day course), you will need to prepare or verify the environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Examine the Current Authentication and Authorization Policies

In this task, you will examine the current Authentication and Authorization policies.

1. Take note of your current disposition in ISE.

1.1. On the Admin-PC, open Firefox and, using the ISE bookmark, log in to GUI as admin/admin$Pwd.

1.2. In the web console of ISE, navigate to Policy > Authentication. Take note of the default ISE policies for authentication.

Note: Three rules make up the default Authentication Policy: one rule for MAB (wired or wireless), one rule for 802.1x (wired or wireless) and a catchall
default rule for everything else. All three rules allow protocols defined in the Default Network Access result. The MAB rule further results in authenticating
against the Internal Endpoints ID Store and the other two use the All_User_ID_Stores ID Source Sequence (which will authenticate against all AD Join Points,
Internal Users, and the Guest ID Store).

1.3. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols and click Default Network Access to examine the protocols that
are allowed by all three of the default authentication rules.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 2 of 11

Note: Process Host Lookup is for MAB, and PAP/ASCII is for VPN, while the various EAP protocols (shown collapsed here) are for 802.1X. You will leave the
defaults for now as they suffice for much of what you will be doing.

1.4. Next, navigate to Policy > Authorization. Take a minute to examine the default ISE authorization policies as well.

Note: There are numerous default authorization policies, too many to drill into detail on here. Over time, Cisco has added more default authorization
policies to provide examples from which to build. Many of these policies are disabled by default and won′t have any effect on authorization until enabled.
We will revisit some of these in subsequent labs.

Task 2: Convert to Policy Sets

You can plainly see from the layout of these rules that things could become quite cluttered as time goes by. This is especially so in the area of authorization
policy rules. Another note is that processing latency is also attributed to how these rules are built. In order to streamline the processing, you will build a
logical layout of policies.

2. Enable Policy Sets.

2.1. In ISE, navigate to Administration> System > Settings > Policy Sets.

2.2. Enable Policy Sets and click Save.

2.3. Click OK in the window messaging that appears and log back into the web console as admin/admin$Pwd.

2.4. Click Policy from the menu at the top of the page. You will also notice that the Authentication and Authorization links are now missing and have been
replaced by Policy Sets (also available via Work Centers > Network Access > Policy Sets).

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 3 of 11

2.5. Click Policy Sets.

2.6. Click the Default Policy Set and expand the authorization policies. You will notice all of our current policies associated with this set.

Task 3: Add Network Devices and Create Policy Sets

In this task, you will add Network Access Devices and create policy sets for wired, wireless, and VPN access.

3. Create network access device groups.

3.1. Navigate to Work Centers > Network Access > Device Groups (or Administration > Network Resources > Network Device Groups).

3.2. In the left pane, expand Groups and select All Device Types.

3.3. In the right pane, click Add and separately create the following network device groups.

Name Description

Wired Wired Access Switches

Wireless WLCs

VPN VPN Access Devices

3.4. When complete, your configuration should match the following.

3.5. In the left pane, select All Locations.

3.6. In the right pane, click Add and separately create the following network device group locations.

Name Description

HQ Headquarters

Branch Branch Office

Test IT Test Network

3.7. When complete, your configuration should match the following.

4. Configure the L3-Switch as a Network Device in ISE.

4.1. In ISE, navigate to Work Centers > Network Access > Network Resources > Network Devices (or Administration > Network Resources > Network
Devices).

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 4 of 11

4.2. Click Add to configure a new network device using the following information.

Attribute Value

Name L3-Switch

Description 3560-X Access Switch

IP Address 10.10.2.1 /32

Device Profile Cisco

Model Name Cisco_3560X

Software Version 15.2

Network Device Group

Device Type Wired

Location Test

RADIUS Authentication Settings

Shared Secret sharedsecret

4.3. Click the Show button to confirm the shared secret and then click Submit.

Note: We′ll come back to the TACACS+ and SNMP settings later. The SNMP settings are used for policy querying (collection technique) from ISE when
performing Profiling. Also, you will set the Location as Test in order to allow for testing out a new feature called EasyConnect. You will see that Device
Groups can play an important role when determining which Policy Set ISE will use for a session.

Using the Import method provided here, you can import Network Devices and their respective credentials simultaneously.

5. Configure the WLC as a Network Device in ISE.

5.1. Click Add to configure a new network device using the following information.

.Attribute Value

Name WLC

Description Virtual WLC

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 5 of 11

IP Address 10.10.2.80 /32

IP Address 10.10.10.2 /32 <Add another entry to supply this IP>

Device Profile Cisco

Model Name Virtual_WLC

Software Version 7.4

Network Device Group

Device Type Wireless

Location HQ

RADIUS Authentication Settings

Shared Secret sharedsecret

5.2. Click the Show button to confirm the shared secret and then click Submit.

6. Configure the HQ-ASA as a Network Device in ISE.

6.1. Click Add to configure a new network device using the following information.

.Attribute Value

Name HQ-ASA

Description 5515-X ASA

IP Address 10.10.0.1 /32

Device Profile Cisco

Model Name 5515-X

Software Version 9.4

Network Device Group

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 6 of 11

Device Type VPN

Location HQ

RADIUS Authentication Settings

Shared Secret sharedsecret

6.2. Click the Show button to confirm the shared secret and then click Submit.

6.3. You Network Devices list should look as follows.

7. Create policy sets for wired and wireless.

7.1. Navigate to Policy > Policy Sets.

7.2. With Default selected, click the + (plus sign), then Create Above.

7.3. Double-click Enter Policy Name and set the following.

Name Description Condition(s)

Wired Wired Access DEVICE:Device Type Equals All Device Types#Wired

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 7 of 11

7.4. Click Done at the right, your policy set rule should look as follows.

7.5. Click Submit.

7.6. Create another policy set with the label Wireless below the Wired Policy Set by selecting the Wired Policy set in the left pane, clicking the + (plus
sign), and selecting Create Below.

7.7. Fill in the parameters of the new Policy set as follows.

Name Description Condition(s)

Wireless Wireless Access DEVICE:Device Type EQUALS All Device Types#Wireless

7.8. Click Done at the right, your policy set rule should look as follows.

7.9. Click Submit.

8. Now that you have policy sets built, it′s time to add some policy rules.

8.1. Highlight the Wired policy set. This is the destination where our copied policies will be placed.

8.2. Click the Copy Policy Rules icon that the arrow is pointing to in the image below.

8.3. In the window that appears, select the Default policy on the bottom left of the screen. This will expand all of the default polices.

8.4. Click the double-arrow in the center of the screen to copy ALL policies from the Default policy set to the Wired policy set.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 8 of 11

Note: Both Authentication and Authorization rules are copied over using this method. Also, nothing is committed until after you save changes. Keep this in
mind when doing this in production.

8.5. Click OK and you will see the Wired policies that were copied.

8.6.
Click Done for all of the rules in both the Authentication Policy and Authorization Policy sections of the Wired Policy Set.

8.7. In the Authorization Policy section, delete all rules dealing with Wireless Authorization. This can be done by deleting any rule that begins with
Wireless or Wi-Fi as well as the two rules that begin with Employee.

Note: If you haven′t already, you will need to click Done before you can delete any rules.

8.8. Click Save once completed (now you′re committed).The Authorization Policy section should look as follows:

8.9.
Now repeat the process for copying policies to the Wireless policy set. This time, copy the policies one at a time. Copy both of the
Authentication policies and then copy only the Authorization policies that start with Wi-Fi or Wireless or Employees. The end result should look as
follows.

8.10. Don′t forget to save your work.

9. Modify the Policy Sets to remove references to unnecessary conditions.

Both the MAB and Dot1X Rules of the Wired and Wireless Policy Sets currently reference Wired as well as Wireless conditions. This is a holdover from the
original Authentication Rules that applied to both types of connections. In this environment, Wired and Wireless sessions will be handled by separate Policy
Sets. To streamline processing, you will remove the unnecessary conditions from each Policy set.

9.1. In the left pane, select Wireless and view the existing Authentication Policy.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 9 of 11

9.2. Edit the MAB rule and delete the Wired_MAB condition.

9.3. Click Done when finished with the delete process.

Note: Even after deletion, the rule may still appear to include the deleted condition. This will change after you edit the next rule and save changes.

9.4. Now edit the Dot1X rule and delete the Wired_802.1X condition.

9.5. Don′t forget to click Done and then scroll down and click Save.

9.6. Your resulting Wireless Authentication Policy should look as follows.

9.7. In the left pane, select Wired and view the existing Authentication Policy.

9.8. Edit the MAB rule and delete the Wireless_MAB condition.

9.9. Now edit the Dot1X rule and delete the Wireless_802.1X condition.

9.10. Don′t forget to click Done and then scroll down and click Save.

9.11. Your resulting Wired Authentication Policy should look as follows.

10. Create a Policy Set for VPN Access.

10.1. In the left pane, click the Default policy set.

10.2. From the tool bar, click the + (plus sign) and select Create Above.

10.3. Create the following Policy Set.

Name Description Condition(s)

VPN VPN Access DEVICE:Device Type EQUALS All Device Types#VPN

10.4. Don′t forget to submit your changes, the VPN policy set should look as follows.

11. Create a Policy Set for EasyConnect.

In a subsequent lab, you will be testing out a feature of ISE called EasyConnect. Here you will set up the Policy set to allow ISE to process EasyConnect
sessions from NADs that are Wired AND on the Test network. This is an effective way to test out features in a production ISE environment while limiting the
scope of the test.

11.1. In the left pane, select the Wired Policy Set and click Duplicate Above.

11.2. Fill in the Policy Set Rule as follows.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 10 of 11

Name Description Condition(s)

EasyConnect EasyConnect Access DEVICE:Device Type EQUALS All Device Types#Wired AND DEVICE:Location EQUALS All Locations#Test

11.3. Don′t forget to submit your changes; the EasyConnect Policy Set should appear as follows.

Note: Remember that Policy sets are processed in a top-down fashion. First hit determines the Policy Set used for the session.

Task 4: Work with Global Exceptions

In this task, you will configure a global exception authorization policy which will apply to all policies (globally) and, as an exception policy, will be processed
before all of the policies. Exception policies are intended to temporarily preempt the behavior of an Authorization Policy.

12. Create a global exception.

12.1. In your policy set configuration left pane, select Global Exceptions.

12.2. In the right pane, click Create a New Rule.

12.3. Create the following rule. For this rule scenario, you are creating an exception for the gklabs.com IT staff who are performing an audit of the network.

Tip: Save the condition to the library to facilitate a more efficient reuse in the future.

Attribute Value

Rule Name IT Audit Exception

Conditions (identity groups and other conditions - Create New Condition) if Any
and GKLABS:ExternalGroups Equals gklabs.com/DomainGroups/IT

Permissions Standard > PermitAccess

12.4. Click Done and verify your policy against the following screenshot.

12.5. Scroll down and click Save.

12.6. In the left pane, select Wired and verify that in the Authorization Policy next to Exceptions there is an indicator of (1), meaning that the Global
Exception is taking effect here.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
 Page 11 of 11

Note: The overall processing order is:

• Local Exception Rules
• Global Exception Rules
• Regular Rules of the Authorization Policy

12.7. If you check, you will find that the Global Exception is in effect on all Policy Sets including the Default Policy Set.

13. Test the Global Exception Policy.

13.1. To test policy, access the console of the L3-Switch. If necessary, use admin/admin$Pwd to log in and enable secret san-fran to access priv exec mode.

13.2. Perform a CLI test AAA authentication for user it1 using UPN name format and observe the result.

L3-Switch#test aaa group radius it1@gklabs.com gklabs new-code

User successfully authenticated

USER ATTRIBUTES

username 0 "it1@gklabs.com"

13.3. Return to the ISE admin portal.

13.4. Navigate to Operations > RADIUS> Live Logs and find the it1@gklabs.com authentication.

13.5. Click the authentication details icon.

13.6. Observe that the Authorization policy name is under EasyConnect and is IT Audit Exception, the name you created as a Global Exception policy name.
Remember that the L3-Switch is currently configured on the Test network, the one you set up for EasyConnect. This demonstrates both the logic of
Global Exceptions and Policy Set selection for a given session.

14. Remove the Global Exception Policy.

As stated earlier, exception policies are set for temporary purposes. You will delete the policy now so that it will not interfere with subsequent labs.

14.1. In the ISE GUI, navigate to Work Centers > Network Access > Policy Sets.

14.2. Once there, select the Global Exceptions and delete the IT Audit Exception.

14.3. Save changes when finished deleting the exception.

Lab Complete

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017