Professional Documents
Culture Documents
Lab Overview
In this lab, you will convert Cisco ISE from a normal policy model to a policy set model. Policy sets enable you to logically group authentication and
authorization policies within a single set name. They enable you to create policies based on location, access type, or other similar parameters based on your
organizational needs. Policy sets are evaluated in a first match top down mode.
Lab Procedures
• Examine the Current Authentication and Authorization Policies
If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are accessing the system after you have attended the 5
day course), you will need to prepare or verify the environment. Perform the following:
Access the module in the lab guide titled Post Reset and follow the directions there.
In this task, you will examine the current Authentication and Authorization policies.
1.1. On the Admin-PC, open Firefox and, using the ISE bookmark, log in to GUI as admin/admin$Pwd.
1.2. In the web console of ISE, navigate to Policy > Authentication. Take note of the default ISE policies for authentication.
Note: Three rules make up the default Authentication Policy: one rule for MAB (wired or wireless), one rule for 802.1x (wired or wireless) and a catchall
default rule for everything else. All three rules allow protocols defined in the Default Network Access result. The MAB rule further results in authenticating
against the Internal Endpoints ID Store and the other two use the All_User_ID_Stores ID Source Sequence (which will authenticate against all AD Join Points,
Internal Users, and the Guest ID Store).
1.3. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols and click Default Network Access to examine the protocols that
are allowed by all three of the default authentication rules.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 2 of 11
Note: Process Host Lookup is for MAB, and PAP/ASCII is for VPN, while the various EAP protocols (shown collapsed here) are for 802.1X. You will leave the
defaults for now as they suffice for much of what you will be doing.
1.4. Next, navigate to Policy > Authorization. Take a minute to examine the default ISE authorization policies as well.
Note: There are numerous default authorization policies, too many to drill into detail on here. Over time, Cisco has added more default authorization
policies to provide examples from which to build. Many of these policies are disabled by default and won′t have any effect on authorization until enabled.
We will revisit some of these in subsequent labs.
You can plainly see from the layout of these rules that things could become quite cluttered as time goes by. This is especially so in the area of authorization
policy rules. Another note is that processing latency is also attributed to how these rules are built. In order to streamline the processing, you will build a
logical layout of policies.
2.1. In ISE, navigate to Administration> System > Settings > Policy Sets.
2.3. Click OK in the window messaging that appears and log back into the web console as admin/admin$Pwd.
2.4. Click Policy from the menu at the top of the page. You will also notice that the Authentication and Authorization links are now missing and have been
replaced by Policy Sets (also available via Work Centers > Network Access > Policy Sets).
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 3 of 11
2.6. Click the Default Policy Set and expand the authorization policies. You will notice all of our current policies associated with this set.
In this task, you will add Network Access Devices and create policy sets for wired, wireless, and VPN access.
3.1. Navigate to Work Centers > Network Access > Device Groups (or Administration > Network Resources > Network Device Groups).
3.2. In the left pane, expand Groups and select All Device Types.
3.3. In the right pane, click Add and separately create the following network device groups.
Name Description
Wireless WLCs
3.6. In the right pane, click Add and separately create the following network device group locations.
Name Description
HQ Headquarters
4.1. In ISE, navigate to Work Centers > Network Access > Network Resources > Network Devices (or Administration > Network Resources > Network
Devices).
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 4 of 11
4.2. Click Add to configure a new network device using the following information.
Attribute Value
Name L3-Switch
Location Test
4.3. Click the Show button to confirm the shared secret and then click Submit.
Note: We′ll come back to the TACACS+ and SNMP settings later. The SNMP settings are used for policy querying (collection technique) from ISE when
performing Profiling. Also, you will set the Location as Test in order to allow for testing out a new feature called EasyConnect. You will see that Device
Groups can play an important role when determining which Policy Set ISE will use for a session.
Using the Import method provided here, you can import Network Devices and their respective credentials simultaneously.
5.1. Click Add to configure a new network device using the following information.
.Attribute Value
Name WLC
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 5 of 11
Location HQ
5.2. Click the Show button to confirm the shared secret and then click Submit.
6.1. Click Add to configure a new network device using the following information.
.Attribute Value
Name HQ-ASA
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 6 of 11
Location HQ
6.2. Click the Show button to confirm the shared secret and then click Submit.
7.2. With Default selected, click the + (plus sign), then Create Above.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 7 of 11
7.4. Click Done at the right, your policy set rule should look as follows.
7.6. Create another policy set with the label Wireless below the Wired Policy Set by selecting the Wired Policy set in the left pane, clicking the + (plus
sign), and selecting Create Below.
7.8. Click Done at the right, your policy set rule should look as follows.
8. Now that you have policy sets built, it′s time to add some policy rules.
8.1. Highlight the Wired policy set. This is the destination where our copied policies will be placed.
8.2. Click the Copy Policy Rules icon that the arrow is pointing to in the image below.
8.3. In the window that appears, select the Default policy on the bottom left of the screen. This will expand all of the default polices.
8.4. Click the double-arrow in the center of the screen to copy ALL policies from the Default policy set to the Wired policy set.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 8 of 11
Note: Both Authentication and Authorization rules are copied over using this method. Also, nothing is committed until after you save changes. Keep this in
mind when doing this in production.
8.5. Click OK and you will see the Wired policies that were copied.
8.6.
Click Done for all of the rules in both the Authentication Policy and Authorization Policy sections of the Wired Policy Set.
8.7. In the Authorization Policy section, delete all rules dealing with Wireless Authorization. This can be done by deleting any rule that begins with
Wireless or Wi-Fi as well as the two rules that begin with Employee.
Note: If you haven′t already, you will need to click Done before you can delete any rules.
8.8. Click Save once completed (now you′re committed).The Authorization Policy section should look as follows:
8.9.
Now repeat the process for copying policies to the Wireless policy set. This time, copy the policies one at a time. Copy both of the
Authentication policies and then copy only the Authorization policies that start with Wi-Fi or Wireless or Employees. The end result should look as
follows.
Both the MAB and Dot1X Rules of the Wired and Wireless Policy Sets currently reference Wired as well as Wireless conditions. This is a holdover from the
original Authentication Rules that applied to both types of connections. In this environment, Wired and Wireless sessions will be handled by separate Policy
Sets. To streamline processing, you will remove the unnecessary conditions from each Policy set.
9.1. In the left pane, select Wireless and view the existing Authentication Policy.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 9 of 11
9.2. Edit the MAB rule and delete the Wired_MAB condition.
Note: Even after deletion, the rule may still appear to include the deleted condition. This will change after you edit the next rule and save changes.
9.4. Now edit the Dot1X rule and delete the Wired_802.1X condition.
9.5. Don′t forget to click Done and then scroll down and click Save.
9.7. In the left pane, select Wired and view the existing Authentication Policy.
9.8. Edit the MAB rule and delete the Wireless_MAB condition.
9.9. Now edit the Dot1X rule and delete the Wireless_802.1X condition.
9.10. Don′t forget to click Done and then scroll down and click Save.
10.2. From the tool bar, click the + (plus sign) and select Create Above.
10.4. Don′t forget to submit your changes, the VPN policy set should look as follows.
In a subsequent lab, you will be testing out a feature of ISE called EasyConnect. Here you will set up the Policy set to allow ISE to process EasyConnect
sessions from NADs that are Wired AND on the Test network. This is an effective way to test out features in a production ISE environment while limiting the
scope of the test.
11.1. In the left pane, select the Wired Policy Set and click Duplicate Above.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 10 of 11
EasyConnect EasyConnect Access DEVICE:Device Type EQUALS All Device Types#Wired AND DEVICE:Location EQUALS All Locations#Test
11.3. Don′t forget to submit your changes; the EasyConnect Policy Set should appear as follows.
Note: Remember that Policy sets are processed in a top-down fashion. First hit determines the Policy Set used for the session.
In this task, you will configure a global exception authorization policy which will apply to all policies (globally) and, as an exception policy, will be processed
before all of the policies. Exception policies are intended to temporarily preempt the behavior of an Authorization Policy.
12.1. In your policy set configuration left pane, select Global Exceptions.
12.3. Create the following rule. For this rule scenario, you are creating an exception for the gklabs.com IT staff who are performing an audit of the network.
Tip: Save the condition to the library to facilitate a more efficient reuse in the future.
Attribute Value
Conditions (identity groups and other conditions - Create New Condition) if Any
and GKLABS:ExternalGroups Equals gklabs.com/DomainGroups/IT
12.4. Click Done and verify your policy against the following screenshot.
12.6. In the left pane, select Wired and verify that in the Authorization Policy next to Exceptions there is an indicator of (1), meaning that the Global
Exception is taking effect here.
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017
Page 11 of 11
12.7. If you check, you will find that the Global Exception is in effect on all Policy Sets including the Default Policy Set.
13.1. To test policy, access the console of the L3-Switch. If necessary, use admin/admin$Pwd to log in and enable secret san-fran to access priv exec mode.
13.2. Perform a CLI test AAA authentication for user it1 using UPN name format and observe the result.
USER ATTRIBUTES
username 0 "it1@gklabs.com"
13.4. Navigate to Operations > RADIUS> Live Logs and find the it1@gklabs.com authentication.
13.6. Observe that the Authorization policy name is under EasyConnect and is IT Audit Exception, the name you created as a Global Exception policy name.
Remember that the L3-Switch is currently configured on the Test network, the one you set up for EasyConnect. This demonstrates both the logic of
Global Exceptions and Policy Set selection for a given session.
As stated earlier, exception policies are set for temporary purposes. You will delete the policy now so that it will not interfere with subsequent labs.
14.1. In the ISE GUI, navigate to Work Centers > Network Access > Policy Sets.
14.2. Once there, select the Global Exceptions and delete the IT Audit Exception.
Lab Complete
http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L03.htm 19/09/2017