The bold text designates an identity group, while the standard font is a normal attribute. The Authorization Policy attempts to display the rule logic in plain English. You should notice an immediate difference between the Authorization Policy and the Authentication Policy examined earlier in this chapter. If you have a live ISE system, it may help to follow along with the text.įrom the ISE GUI, perform the following steps: Let’s examine the Cisco IP-Phone and blacklist rules in order to dig into authorization rules and how they work. ISE is preconfigured with a default rule for blacklisted devices, named Wireless Blacklist Default, Profiled Cisco IP-Phones, and Profiled Non Cisco IP-Phones. So, if the conditions do not match, the authentication is compared to the next rule in the policy. Just like the Authentication Policy, Authorization Policy rules are processed in a top-down, first-match order. IF conditions THEN AssignThesePermissions.To understand Authorization Policies even more, let’s examine a few.īasic Authorization Policy rules are logically organized in this manner: Now that you understand the fundamental responsibilities of the Authorization Policy, it will be easier to understand the exercises in this section. The result allows or denies access to the network, and when it is allowed, it can include any and all restrictions for limiting network access for the user or endpoint. The result may be a standard RADIUS access-accept or access-reject message, but it can also include more advanced items, like VLAN assignment, downloadable Access-Lists (dACL), Security Group Tag, URL redirection, and more. The policy compares these conditions with the explicit goal of providing an authorization result. Even the authentication is an attribute: was authentication successful which authentication protocol was used and what is the content of specific fields of the certificate that was used? Policies can be built using attributes like location, time, if a device was registered, whether a mobile device has been jail-broken, nearly any attribute imaginable. What conditions? Well, what did you have in mind?Ĭommon conditions could include internal and external attributes, like Active Directory group membership or internal group membership within ISE. Goals of Authorization PoliciesĪuthorization Policies have one main goal: to examine conditions in order to send an authorization result to the network access device (NAD). The authorization rules make that determination. However, success or failure in the authentication policy may not necessarily determine whether the user or device is actually permitted access to the network. The ultimate goal of an Authentication Policy is to determine if the identity credential is valid or not.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |