Skip to content

3.2 ISE Policy Design for SD-Access

3.2.1 Policy Architecture Overview

ISE Policy Framework for SD-Access

┌─────────────────────────────────────────────────────────────────────────────────┐
│                      ISE POLICY ARCHITECTURE FOR SD-ACCESS                       │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│  ┌─────────────────────────────────────────────────────────────────────────┐    │
│  │                         POLICY SET HIERARCHY                             │    │
│  ├─────────────────────────────────────────────────────────────────────────┤    │
│  │                                                                          │    │
│  │   ┌──────────────────┐    ┌──────────────────┐    ┌──────────────────┐  │    │
│  │   │  SD-ACCESS-WIRED │    │ SD-ACCESS-WLESS  │    │   DEVICE-ADMIN   │  │    │
│  │   │   Policy Set     │    │   Policy Set     │    │   Policy Set     │  │    │
│  │   └────────┬─────────┘    └────────┬─────────┘    └────────┬─────────┘  │    │
│  │            │                       │                       │            │    │
│  │            ▼                       ▼                       ▼            │    │
│  │   ┌──────────────────────────────────────────────────────────────────┐  │    │
│  │   │                   AUTHENTICATION POLICIES                        │  │    │
│  │   │  • EAP-TLS (Certificate)     • Identity Store Selection          │  │    │
│  │   │  • PEAP-MSCHAPv2 (Password)  • Protocol Matching                 │  │    │
│  │   │  • MAB (MAC Address)         • Allowed Protocols                 │  │    │
│  │   └──────────────────────────────────────────────────────────────────┘  │    │
│  │            │                                                            │    │
│  │            ▼                                                            │    │
│  │   ┌──────────────────────────────────────────────────────────────────┐  │    │
│  │   │                   AUTHORIZATION POLICIES                         │  │    │
│  │   │  • Condition Matching        • Authorization Profile Assignment  │  │    │
│  │   │  • AD Group Membership       • SGT Assignment                    │  │    │
│  │   │  • Endpoint Profile          • VN Assignment                     │  │    │
│  │   │  • Posture Status            • DACL Application                  │  │    │
│  │   └──────────────────────────────────────────────────────────────────┘  │    │
│  │            │                                                            │    │
│  │            ▼                                                            │    │
│  │   ┌──────────────────────────────────────────────────────────────────┐  │    │
│  │   │                   AUTHORIZATION RESULTS                          │  │    │
│  │   │  • SGT Value (cts:security-group-tag=xxxx-xx)                   │  │    │
│  │   │  • VN Assignment (cts:vn=VN_NAME)                                │  │    │
│  │   │  • VLAN (tunnel-private-group-id)                               │  │    │
│  │   │  • dACL (filter-id or cisco-av-pair:dacl)                       │  │    │
│  │   └──────────────────────────────────────────────────────────────────┘  │    │
│  │                                                                          │    │
│  └─────────────────────────────────────────────────────────────────────────┘    │
│                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────┘

Policy Evaluation Flow

┌─────────────────────────────────────────────────────────────────────────────────┐
│                         POLICY EVALUATION FLOW                                   │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│   RADIUS Request                                                                 │
│   from NAD (Fabric Edge)                                                         │
│         │                                                                        │
│         ▼                                                                        │
│   ┌─────────────────┐                                                           │
│   │ Policy Set      │  Match on: Device Type, Location, RADIUS attributes       │
│   │ Selection       │  Example: Device-Type = SD-Access_Fabric                  │
│   └────────┬────────┘                                                           │
│            │                                                                     │
│            ▼                                                                     │
│   ┌─────────────────┐                                                           │
│   │ Authentication  │  Verify: Credentials, Certificates, MAC Address           │
│   │ Policy          │  Result: PASS → Continue | FAIL → Reject                  │
│   └────────┬────────┘                                                           │
│            │                                                                     │
│            ▼                                                                     │
│   ┌─────────────────┐                                                           │
│   │ Authorization   │  Match: AD Groups, Endpoint Profile, Posture, Location    │
│   │ Policy          │  Result: Authorization Profile Assignment                  │
│   └────────┬────────┘                                                           │
│            │                                                                     │
│            ▼                                                                     │
│   ┌─────────────────┐                                                           │
│   │ RADIUS Response │  Contains: SGT, VN, VLAN, dACL, Session Timeout           │
│   │ to NAD          │  cisco-av-pair: cts:security-group-tag=000A-00            │
│   └─────────────────┘                                                           │
│                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────┘

3.2.2 Identity Source Configuration

Active Directory Integration

# Administration > Identity Management > External Identity Sources > Active Directory

AD_Domain_Configuration:
  Join_Point_Name: CORP-AD
  Domain: corp.local
  Domain_Controllers:
    Primary:
      Hostname: dc01.corp.local
      IP: 10.252.1.50
    Secondary:
      Hostname: dc02.corp.local
      IP: 10.252.1.51

  Service_Account:
    Username: svc-ise-ad@corp.local
    Password: <encrypted>
    Permissions: Domain Users (minimum)

  Advanced_Settings:
    Schema: Active Directory
    Enable_Rewrites: No
    Enable_Dial-in_Check: No
    Enable_Callback_Check: No
    Enable_Machine_Authentication: Yes
    Enable_Machine_Access_Restriction: Yes
    Aging_Time: 5 days

  Attribute_Mapping:
    - AD Attribute: memberOf
      ISE Attribute: ExternalGroups
    - AD Attribute: department
      ISE Attribute: department
    - AD Attribute: title
      ISE Attribute: title
    - AD Attribute: employeeType
      ISE Attribute: employeeType

AD Groups to Import

# Administration > Identity Management > External Identity Sources > AD > Groups

Imported_AD_Groups:

  # User Groups
  - CN=Domain Users,CN=Users,DC=corp,DC=local
  - CN=Domain Admins,CN=Users,DC=corp,DC=local
  - CN=Executives,OU=Security Groups,DC=corp,DC=local
  - CN=HR-Staff,OU=Security Groups,DC=corp,DC=local
  - CN=Finance-Staff,OU=Security Groups,DC=corp,DC=local
  - CN=IT-Admins,OU=Security Groups,DC=corp,DC=local
  - CN=IT-HelpDesk,OU=Security Groups,DC=corp,DC=local
  - CN=Contractors,OU=Security Groups,DC=corp,DC=local
  - CN=Vendors,OU=Security Groups,DC=corp,DC=local

  # Computer Groups
  - CN=Domain Computers,CN=Computers,DC=corp,DC=local
  - CN=Workstations,OU=Computer Groups,DC=corp,DC=local
  - CN=Servers,OU=Computer Groups,DC=corp,DC=local
  - CN=VoIP-Phones,OU=Computer Groups,DC=corp,DC=local

Identity Source Sequences

# Administration > Identity Management > Identity Source Sequences

Identity_Sequences:

  # Primary sequence for corporate users
  Corporate_Authentication_Sequence:
    Name: Corp-Auth-Sequence
    Description: Primary authentication for corporate users
    Certificate_Authentication_Profile: Corp-Certificate-Profile
    Identity_Sources:
      1: CORP-AD (Active Directory)
      2: Internal Users
    Authentication_Search_List:
      - Search: CORP-AD
        If_User_Not_Found: Continue
      - Search: Internal Users
        If_User_Not_Found: Drop
    Advanced:
      Treat_As_If_User_Not_Found: Continue to next store

  # Sequence for guest users
  Guest_Authentication_Sequence:
    Name: Guest-Auth-Sequence
    Description: Authentication for guest users
    Identity_Sources:
      1: Guest Users
      2: Sponsor Portal Users
    Authentication_Search_List:
      - Search: Guest Users
        If_User_Not_Found: Continue
      - Search: Sponsor Portal Users
        If_User_Not_Found: Drop

  # Sequence for endpoints (MAB)
  Endpoint_Authentication_Sequence:
    Name: Endpoint-Auth-Sequence
    Description: MAC Authentication for devices
    Identity_Sources:
      1: Internal Endpoints
      2: Profiled Endpoints
    Settings:
      Process_Host_Lookup: Yes
      MAC_Format: Lowercase with hyphens (aa-bb-cc-dd-ee-ff)

3.2.3 Allowed Protocols Configuration

EAP Protocol Settings

# Policy > Policy Elements > Results > Authentication > Allowed Protocols

Allowed_Protocols_Services:

  # Primary protocol service for SD-Access
  SDA-Allowed-Protocols:
    Name: SDA-Allowed-Protocols
    Description: Allowed protocols for SD-Access fabric authentication

    Process_Host_Lookup: Yes

    # PAP/ASCII
    Allow_PAP_ASCII: Yes

    # EAP-MD5
    Allow_EAP_MD5: No

    # EAP-TLS
    Allow_EAP_TLS: Yes
    EAP_TLS_Settings:
      Allow_EAP_TLS_Session_Resume: Yes
      EAP_TLS_Session_Timeout: 7200 seconds

    # PEAP
    Allow_PEAP: Yes
    PEAP_Settings:
      Allow_PEAP_EAP_MS_CHAPv2: Yes
      Allow_PEAP_EAP_GTC: Yes
      Allow_PEAP_EAP_TLS: Yes
      Require_Cryptobinding: Yes
      PEAP_Session_Timeout: 7200 seconds

    # EAP-FAST
    Allow_EAP_FAST: Yes
    EAP_FAST_Settings:
      Use_PACs: Yes
      Allow_Machine_Authentication: Yes
      Allow_Anonymous_In_Band_PAC: No
      Allow_Authenticated_In_Band_PAC: Yes
      Accept_Client_Certificate: Yes
      EAP_Chaining: Yes

    # EAP-TEAP
    Allow_TEAP: Yes
    TEAP_Settings:
      Allow_Downgrade_To_EAP_FAST: Yes
      Accept_Client_Certificate_During_Tunnel: Yes
      Request_Basic_Password_Auth: Yes
      Enable_EAP_Chaining: Yes

    # Preferred EAP Protocol
    Preferred_EAP_Protocol: EAP-TLS

  # Protocol service for MAB-only ports (IoT/Printers)
  MAB-Only-Protocols:
    Name: MAB-Only-Protocols
    Description: MAC Authentication Bypass only
    Process_Host_Lookup: Yes
    Allow_PAP_ASCII: Yes
    Allow_CHAP: No
    Allow_EAP_MD5: No
    Detect_EAP_Request: No

3.2.4 Network Device Groups

Device Type Hierarchy

# Administration > Network Resources > Network Device Groups

Device_Types:

  All_Device_Types:

    # SD-Access Fabric Devices
    SD-Access_Fabric:
      Description: All SD-Access fabric infrastructure

      Border_Nodes:
        Description: Fabric border nodes
        Devices:
          - MUM-BN-01
          - MUM-BN-02
          - LON-BN-01
          - LON-BN-02
          - NJ-BN-01
          - NJ-BN-02

      Control_Plane_Nodes:
        Description: Fabric control plane nodes
        Devices:
          - MUM-CP-01
          - MUM-CP-02
          - LON-CP-01
          - LON-CP-02
          - NJ-CP-01
          - NJ-CP-02

      Edge_Nodes:
        Description: Fabric edge nodes (access layer)
        Devices:
          - MUM-ED-01 through MUM-ED-48
          - LON-ED-01 through LON-ED-42
          - NJ-ED-01 through NJ-ED-52

      Extended_Nodes:
        Description: Fabric extended nodes
        Devices:
          - MUM-EX-01 through MUM-EX-10

    # Wireless Controllers
    Wireless_Controllers:
      Description: Cisco 9800 Series WLCs
      Devices:
        - WLC-MUM-01
        - WLC-MUM-02
        - WLC-LON-01
        - WLC-LON-02
        - WLC-NJ-01
        - WLC-NJ-02

    # Legacy/Non-Fabric
    Legacy_Devices:
      Description: Non-fabric network devices
      Devices:
        - Legacy switches pending migration

Location Hierarchy

# Administration > Network Resources > Network Device Groups > Location

Locations:

  All_Locations:

    APAC:
      Description: Asia Pacific Region

      India:
        Mumbai:
          PSN_Assignment: ISE-PSN-MUM-1, ISE-PSN-MUM-2
          Timezone: Asia/Kolkata

        Chennai:
          PSN_Assignment: ISE-PSN-CHN-1, ISE-PSN-CHN-2
          Timezone: Asia/Kolkata

        Bangalore:
          PSN_Assignment: ISE-PSN-MUM-1, ISE-PSN-MUM-2
          Timezone: Asia/Kolkata

        Delhi:
          PSN_Assignment: ISE-PSN-MUM-1, ISE-PSN-MUM-2
          Timezone: Asia/Kolkata

    EMEA:
      Description: Europe Middle East Africa

      United_Kingdom:
        London:
          PSN_Assignment: ISE-PSN-LON-1, ISE-PSN-LON-2
          Timezone: Europe/London

      Germany:
        Frankfurt:
          PSN_Assignment: ISE-PSN-FRA-1, ISE-PSN-FRA-2
          Timezone: Europe/Berlin

      France:
        Paris:
          PSN_Assignment: ISE-PSN-LON-1, ISE-PSN-LON-2
          Timezone: Europe/Paris

    Americas:
      Description: North and South America

      United_States:
        New_Jersey:
          PSN_Assignment: ISE-PSN-NJ-1, ISE-PSN-NJ-2
          Timezone: America/New_York

        Dallas:
          PSN_Assignment: ISE-PSN-DAL-1, ISE-PSN-DAL-2
          Timezone: America/Chicago

        Chicago:
          PSN_Assignment: ISE-PSN-NJ-1, ISE-PSN-NJ-2
          Timezone: America/Chicago

3.2.5 Policy Conditions

Compound Conditions

# Policy > Policy Elements > Conditions > Authorization > Compound Conditions

Compound_Conditions:

  # Employee Conditions
  Condition_Employee_Domain_User:
    Name: Employee-Domain-User
    Description: Domain user with valid machine auth
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS Domain Users
      - Network Access:EapChainingResult EQUALS User and machine both succeeded

  Condition_Employee_EAP_TLS:
    Name: Employee-EAP-TLS
    Description: User authenticated via EAP-TLS certificate
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS Domain Users
      - Network Access:EapAuthentication EQUALS EAP-TLS

  # Executive Conditions
  Condition_Executive:
    Name: Executive-User
    Description: Executive group member
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS Executives
      - Network Access:EapChainingResult EQUALS User and machine both succeeded

  # HR Conditions
  Condition_HR_Staff:
    Name: HR-Staff
    Description: HR department users
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS HR-Staff
      - Network Access:EapChainingResult EQUALS User and machine both succeeded

  # Finance Conditions
  Condition_Finance_Staff:
    Name: Finance-Staff
    Description: Finance department users
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS Finance-Staff
      - Network Access:EapChainingResult EQUALS User and machine both succeeded

  # IT Admin Conditions
  Condition_IT_Admin:
    Name: IT-Admin
    Description: IT Administrators
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS IT-Admins
      - Network Access:EapChainingResult EQUALS User and machine both succeeded

  # Contractor Conditions
  Condition_Contractor:
    Name: Contractor-User
    Description: External contractors
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS Contractors
      - Network Access:EapAuthentication EQUALS PEAP

  # Device Conditions
  Condition_Cisco_IP_Phone:
    Name: Cisco-IP-Phone
    Description: Profiled as Cisco IP Phone
    Condition_Type: Compound
    Logic: OR
    Children:
      - Endpoints:BYODRegistration EQUALS Yes AND Endpoints:EndpointPolicy EQUALS Cisco-IP-Phone
      - Endpoints:EndpointPolicy EQUALS Cisco-IP-Phone-7800
      - Endpoints:EndpointPolicy EQUALS Cisco-IP-Phone-8800
      - Endpoints:EndpointPolicy EQUALS Cisco-IP-Phone-9800

  Condition_Printer:
    Name: Network-Printer
    Description: Profiled as network printer
    Condition_Type: Compound
    Logic: OR
    Children:
      - Endpoints:EndpointPolicy EQUALS HP-Printer
      - Endpoints:EndpointPolicy EQUALS Xerox-Printer
      - Endpoints:EndpointPolicy EQUALS Canon-Printer
      - Endpoints:EndpointPolicy CONTAINS Printer

  Condition_IoT_Sensor:
    Name: IoT-Sensor
    Description: IoT sensor devices
    Condition_Type: Compound
    Logic: OR
    Children:
      - Endpoints:EndpointPolicy CONTAINS IoT-Sensor
      - Endpoints:EndpointPolicy EQUALS Building-Sensor
      - Endpoints:EndpointPolicy EQUALS Environmental-Sensor

  Condition_IP_Camera:
    Name: IP-Camera
    Description: IP surveillance cameras
    Condition_Type: Compound
    Logic: OR
    Children:
      - Endpoints:EndpointPolicy EQUALS IP-Camera
      - Endpoints:EndpointPolicy EQUALS Axis-Camera
      - Endpoints:EndpointPolicy EQUALS Cisco-Video-Surveillance

  # Guest Conditions
  Condition_Guest_Sponsored:
    Name: Guest-Sponsored
    Description: Sponsored guest with accepted AUP
    Condition_Type: Compound
    Logic: AND
    Children:
      - IdentityGroup:Name EQUALS Guest_Sponsored
      - GuestUser:AUPAccepted EQUALS Yes

  Condition_Guest_Self_Reg:
    Name: Guest-Self-Registered
    Description: Self-registered guest
    Condition_Type: Compound
    Logic: AND
    Children:
      - IdentityGroup:Name EQUALS Guest_Self_Registered
      - GuestUser:AUPAccepted EQUALS Yes

  # Machine Conditions
  Condition_Domain_Computer:
    Name: Domain-Computer
    Description: Domain-joined workstation (machine auth only)
    Condition_Type: Compound
    Logic: AND
    Children:
      - CORP-AD:ExternalGroups CONTAINS Domain Computers
      - Network Access:EapAuthentication EQUALS EAP-TLS
      - Network Access:EapChainingResult EQUALS No chaining

3.2.6 Downloadable ACLs (DACLs)

DACL Definitions

# Policy > Policy Elements > Results > Authorization > Downloadable ACLs

Downloadable_ACLs:

  # Permit All (for trusted endpoints)
  DACL-PERMIT-ALL:
    Name: DACL-PERMIT-ALL
    Description: Permit all traffic - used with SGT enforcement
    DACL_Content: |
      permit ip any any

  # Deny All (for blocked endpoints)
  DACL-DENY-ALL:
    Name: DACL-DENY-ALL
    Description: Deny all traffic
    DACL_Content: |
      deny ip any any

  # Employee Limited (pre-posture or non-compliant)
  DACL-EMPLOYEE-LIMITED:
    Name: DACL-EMPLOYEE-LIMITED
    Description: Limited access for employees pending posture
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS
      permit udp any any eq domain
      remark Allow ICMP
      permit icmp any any
      remark Allow posture remediation
      permit tcp any host 10.252.30.10 eq 8443
      permit tcp any host 10.252.30.20 eq 8443
      remark Allow AD authentication
      permit tcp any host 10.252.1.50 eq 389
      permit tcp any host 10.252.1.50 eq 636
      permit tcp any host 10.252.1.51 eq 389
      permit tcp any host 10.252.1.51 eq 636
      remark Deny all other
      deny ip any any

  # Quarantine (non-compliant or unknown)
  DACL-QUARANTINE:
    Name: DACL-QUARANTINE
    Description: Quarantine for non-compliant endpoints
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS for redirection
      permit udp any any eq domain
      remark Allow remediation portal only
      permit tcp any host 10.252.30.10 eq 8443
      permit tcp any host 10.252.30.20 eq 8443
      permit tcp any host 10.252.100.50 eq 80
      permit tcp any host 10.252.100.50 eq 443
      remark Deny all other
      deny ip any any log

  # Guest Internet Only
  DACL-GUEST-INTERNET:
    Name: DACL-GUEST-INTERNET
    Description: Guest access - Internet only via proxy
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS
      permit udp any any eq domain
      remark Allow web proxy
      permit tcp any host 10.252.100.100 eq 8080
      permit tcp any host 10.252.100.100 eq 443
      remark Block RFC1918
      deny ip any 10.0.0.0 0.255.255.255
      deny ip any 172.16.0.0 0.15.255.255
      deny ip any 192.168.0.0 0.0.255.255
      remark Allow Internet
      permit ip any any

  # Voice VLAN Access
  DACL-VOICE:
    Name: DACL-VOICE
    Description: Voice endpoints - SIP/RTP traffic
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS
      permit udp any any eq domain
      remark Allow TFTP for phone config
      permit udp any host 10.252.60.10 eq tftp
      remark Allow SIP signaling
      permit udp any any eq 5060
      permit tcp any any eq 5060
      permit tcp any any eq 5061
      remark Allow RTP media
      permit udp any any range 16384 32767
      remark Allow CUCM
      permit tcp any host 10.252.60.10 eq 2000
      permit tcp any host 10.252.60.11 eq 2000
      remark Deny all other
      deny ip any any

  # Printer Access
  DACL-PRINTER:
    Name: DACL-PRINTER
    Description: Network printer access
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS
      permit udp any any eq domain
      remark Allow print protocols
      permit tcp any any eq 9100
      permit tcp any any eq 515
      permit tcp any any eq 631
      remark Allow SNMP for monitoring
      permit udp any any eq snmp
      permit udp any any eq snmptrap
      remark Allow HTTP/HTTPS for management
      permit tcp any any eq 80
      permit tcp any any eq 443
      remark Deny all other
      deny ip any any

  # IoT Sensor Access
  DACL-IOT-SENSOR:
    Name: DACL-IOT-SENSOR
    Description: IoT sensor restricted access
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS
      permit udp any any eq domain
      remark Allow NTP
      permit udp any any eq ntp
      remark Allow MQTT to IoT platform
      permit tcp any host 10.252.80.10 eq 1883
      permit tcp any host 10.252.80.10 eq 8883
      remark Allow CoAP
      permit udp any host 10.252.80.10 eq 5683
      remark Allow HTTPS to cloud
      permit tcp any any eq 443
      remark Deny all other
      deny ip any any

  # Camera Access
  DACL-CAMERA:
    Name: DACL-CAMERA
    Description: IP camera access
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS
      permit udp any any eq domain
      remark Allow NTP
      permit udp any any eq ntp
      remark Allow RTSP streaming
      permit tcp any host 10.252.70.10 eq 554
      permit udp any host 10.252.70.10 range 6970 6999
      remark Allow VMS access
      permit tcp any host 10.252.70.10 eq 80
      permit tcp any host 10.252.70.10 eq 443
      remark Deny all other
      deny ip any any

  # Pre-Auth ACL (used during 802.1X)
  DACL-PRE-AUTH:
    Name: DACL-PRE-AUTH
    Description: Pre-authentication minimal access
    DACL_Content: |
      remark Allow DHCP
      permit udp any eq bootpc any eq bootps
      remark Allow DNS
      permit udp any any eq domain
      remark Allow TFTP for phones
      permit udp any any eq tftp
      remark Deny all other
      deny ip any any

3.2.7 Authorization Profiles

Complete Authorization Profile Definitions

# Policy > Policy Elements > Results > Authorization > Authorization Profiles

Authorization_Profiles:

  #############################################################################
  # CORPORATE USER PROFILES
  #############################################################################

  # Employees - Full Access
  AuthZ-Employee-Full:
    Name: AuthZ-Employee-Full
    Description: Full access for compliant employees
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL
      VLAN: 
        Tag_ID: 0
        Tunnel_Private_Group_ID: (Dynamic from Fabric)

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=000A-00
        - cisco-av-pair = cts:sgt-name=Employees
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  # Employees - Limited (Pre-Posture)
  AuthZ-Employee-Limited:
    Name: AuthZ-Employee-Limited
    Description: Limited access pending posture assessment
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-EMPLOYEE-LIMITED
      Web_Redirection:
        Type: Client Provisioning (Posture)
        ACL: ACL-POSTURE-REDIRECT
        Value: Client Provisioning Portal

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=03E7-00
        - cisco-av-pair = cts:sgt-name=Quarantine
        - cisco-av-pair = cts:vn=VN_CORPORATE
        - cisco-av-pair = url-redirect-acl=ACL-POSTURE-REDIRECT
        - cisco-av-pair = url-redirect=https://ise.corp.local:8443/portal/gateway?sessionId=SessionIdValue&portal=client-provisioning
      IETF:
        - Session-Timeout = 3600
        - Termination-Action = RADIUS-Request

  # Executives - Full Access
  AuthZ-Executive-Full:
    Name: AuthZ-Executive-Full
    Description: Full access for executives
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=000B-00
        - cisco-av-pair = cts:sgt-name=Executives
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  # HR Staff
  AuthZ-HR-Staff:
    Name: AuthZ-HR-Staff
    Description: Access for HR department
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=000C-00
        - cisco-av-pair = cts:sgt-name=HR
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  # Finance Staff
  AuthZ-Finance-Staff:
    Name: AuthZ-Finance-Staff
    Description: Access for Finance department
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=000D-00
        - cisco-av-pair = cts:sgt-name=Finance
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  # IT Administrators
  AuthZ-IT-Admin:
    Name: AuthZ-IT-Admin
    Description: Full access for IT administrators
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=000E-00
        - cisco-av-pair = cts:sgt-name=IT-Admins
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  # Contractors
  AuthZ-Contractor:
    Name: AuthZ-Contractor
    Description: Limited access for contractors
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=000F-00
        - cisco-av-pair = cts:sgt-name=Contractors
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  #############################################################################
  # DEVICE PROFILES
  #############################################################################

  # Voice / IP Phones
  AuthZ-Voice:
    Name: AuthZ-Voice
    Description: Cisco IP Phone access
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-VOICE
      Voice_Domain_Permission: Enabled

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0014-00
        - cisco-av-pair = cts:sgt-name=Voice
        - cisco-av-pair = cts:vn=VN_VOICE
        - cisco-av-pair = device-traffic-class=voice
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # Video Endpoints
  AuthZ-Video:
    Name: AuthZ-Video
    Description: Video conferencing endpoints
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0015-00
        - cisco-av-pair = cts:sgt-name=Video
        - cisco-av-pair = cts:vn=VN_VOICE
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # Printers
  AuthZ-Printer:
    Name: AuthZ-Printer
    Description: Network printer access
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PRINTER

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=001E-00
        - cisco-av-pair = cts:sgt-name=Printers
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # Scanners/MFPs
  AuthZ-Scanner:
    Name: AuthZ-Scanner
    Description: Network scanner/MFP access
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PRINTER

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=001F-00
        - cisco-av-pair = cts:sgt-name=Scanners
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  #############################################################################
  # GUEST PROFILES
  #############################################################################

  # Sponsored Guest
  AuthZ-Guest-Sponsored:
    Name: AuthZ-Guest-Sponsored
    Description: Sponsored guest access
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-GUEST-INTERNET

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0028-00
        - cisco-av-pair = cts:sgt-name=Guests
        - cisco-av-pair = cts:vn=VN_GUEST
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  # Premium Guest
  AuthZ-Guest-Premium:
    Name: AuthZ-Guest-Premium
    Description: Premium guest with extended access
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PERMIT-ALL

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0029-00
        - cisco-av-pair = cts:sgt-name=Guest-Premium
        - cisco-av-pair = cts:vn=VN_GUEST
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  #############################################################################
  # IOT PROFILES
  #############################################################################

  # IoT Sensors
  AuthZ-IoT-Sensor:
    Name: AuthZ-IoT-Sensor
    Description: Building/environmental sensors
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-IOT-SENSOR

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0032-00
        - cisco-av-pair = cts:sgt-name=IoT-Sensors
        - cisco-av-pair = cts:vn=VN_IOT
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # HVAC Controllers
  AuthZ-IoT-HVAC:
    Name: AuthZ-IoT-HVAC
    Description: HVAC controller access
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-IOT-SENSOR

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0033-00
        - cisco-av-pair = cts:sgt-name=IoT-HVAC
        - cisco-av-pair = cts:vn=VN_IOT
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # Lighting Systems
  AuthZ-IoT-Lighting:
    Name: AuthZ-IoT-Lighting
    Description: Smart lighting systems
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-IOT-SENSOR

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0034-00
        - cisco-av-pair = cts:sgt-name=IoT-Lighting
        - cisco-av-pair = cts:vn=VN_IOT
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # OT Devices
  AuthZ-OT-Device:
    Name: AuthZ-OT-Device
    Description: Operational technology devices
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-IOT-SENSOR

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=003C-00
        - cisco-av-pair = cts:sgt-name=OT-Devices
        - cisco-av-pair = cts:vn=VN_IOT
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # IP Cameras
  AuthZ-Camera:
    Name: AuthZ-Camera
    Description: IP surveillance cameras
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-CAMERA

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0046-00
        - cisco-av-pair = cts:sgt-name=Cameras
        - cisco-av-pair = cts:vn=VN_IOT
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  # Badge Readers
  AuthZ-Badge-Reader:
    Name: AuthZ-Badge-Reader
    Description: Physical access control readers
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-IOT-SENSOR

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0047-00
        - cisco-av-pair = cts:sgt-name=Badge-Readers
        - cisco-av-pair = cts:vn=VN_IOT
      IETF:
        - Session-Timeout = 86400
        - Termination-Action = RADIUS-Request

  #############################################################################
  # SPECIAL PROFILES
  #############################################################################

  # Quarantine
  AuthZ-Quarantine:
    Name: AuthZ-Quarantine
    Description: Quarantine for non-compliant or unknown devices
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-QUARANTINE
      Web_Redirection:
        Type: Client Provisioning (Posture)
        ACL: ACL-POSTURE-REDIRECT
        Value: Remediation Portal

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=03E7-00
        - cisco-av-pair = cts:sgt-name=Quarantine
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 600
        - Termination-Action = RADIUS-Request

  # Unknown Device
  AuthZ-Unknown:
    Name: AuthZ-Unknown
    Description: Unknown device profile
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-QUARANTINE

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=03E6-00
        - cisco-av-pair = cts:sgt-name=Unknown
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 600
        - Termination-Action = RADIUS-Request

  # Domain Computer (Machine Auth Only)
  AuthZ-Domain-Computer:
    Name: AuthZ-Domain-Computer
    Description: Domain computer without user logged in
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-EMPLOYEE-LIMITED

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=000A-00
        - cisco-av-pair = cts:sgt-name=Employees
        - cisco-av-pair = cts:vn=VN_CORPORATE
      IETF:
        - Session-Timeout = 28800
        - Termination-Action = RADIUS-Request

  # Wireless Guest Web Auth Redirect
  AuthZ-Guest-WebAuth:
    Name: AuthZ-Guest-WebAuth
    Description: Guest redirect for web authentication
    Access_Type: ACCESS_ACCEPT

    Common_Tasks:
      DACL_Name: DACL-PRE-AUTH
      Web_Redirection:
        Type: Centralized Web Auth
        ACL: ACL-WEBAUTH-REDIRECT
        Value: Guest Portal

    Advanced_Attributes_Settings:
      Cisco:
        - cisco-av-pair = cts:security-group-tag=0028-00
        - cisco-av-pair = cts:sgt-name=Guests
        - cisco-av-pair = cts:vn=VN_GUEST
        - cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT
        - cisco-av-pair = url-redirect=https://ise.corp.local:8443/portal/gateway?sessionId=SessionIdValue&portal=guest-portal
      IETF:
        - Session-Timeout = 600
        - Termination-Action = RADIUS-Request

3.2.8 Policy Sets - Wired SD-Access

Complete Wired Policy Set

# Policy > Policy Sets

Policy_Set_Wired_SD_Access:

  Name: SD-ACCESS-WIRED
  Description: Policy set for SD-Access wired fabric authentication
  Status: Enabled
  Rank: 1

  # Policy Set Condition
  Condition:
    - DEVICE:Device Type EQUALS SD-Access_Fabric#Edge_Nodes
    OR
    - DEVICE:Device Type EQUALS SD-Access_Fabric#Extended_Nodes
    OR
    - Radius:Service-Type EQUALS Call-Check
    OR
    - Radius:Service-Type EQUALS Framed

  # Allowed Protocols
  Allowed_Protocols: SDA-Allowed-Protocols

  #############################################################################
  # AUTHENTICATION POLICY
  #############################################################################

  Authentication_Policy:

    # Rule 1: EAP-TLS Certificate Authentication
    Rule_DOT1X_EAP_TLS:
      Name: DOT1X-EAP-TLS
      Condition: Network Access:EapAuthentication EQUALS EAP-TLS
      Identity_Store: Corp-Auth-Sequence
      If_User_Not_Found: REJECT
      If_Process_Fail: DROP

    # Rule 2: PEAP-MSCHAPv2 Password Authentication  
    Rule_DOT1X_PEAP:
      Name: DOT1X-PEAP
      Condition: Network Access:EapAuthentication EQUALS PEAP(EAP-MSCHAPv2)
      Identity_Store: Corp-Auth-Sequence
      If_User_Not_Found: REJECT
      If_Process_Fail: DROP

    # Rule 3: MAB for Profiled Devices
    Rule_MAB_Profiled:
      Name: MAB-Profiled
      Condition: 
        - Radius:Service-Type EQUALS Call-Check
        AND
        - Endpoints:BYODRegistration EQUALS Yes OR Endpoints:EndpointPolicy EXISTS
      Identity_Store: Endpoint-Auth-Sequence
      If_User_Not_Found: CONTINUE
      If_Process_Fail: DROP

    # Rule 4: MAB for Unknown Devices
    Rule_MAB_Unknown:
      Name: MAB-Unknown
      Condition: Radius:Service-Type EQUALS Call-Check
      Identity_Store: Internal Endpoints
      If_User_Not_Found: CONTINUE
      If_Process_Fail: DROP

    # Rule 5: Default
    Rule_Default:
      Name: Default
      Condition: (Default - matches all)
      Identity_Store: DenyAccess
      If_User_Not_Found: REJECT
      If_Process_Fail: DROP

  #############################################################################
  # AUTHORIZATION POLICY
  #############################################################################

  Authorization_Policy:

    # =========================================================================
    # EXCEPTION RULES (Highest Priority)
    # =========================================================================

    # Blacklist - Deny
    Rule_Blacklist:
      Name: Blacklisted-Endpoint
      Condition: Endpoints:BlackList EQUALS True
      Result: DenyAccess
      SGT: N/A

    # Lost or Stolen Device
    Rule_Lost_Stolen:
      Name: Lost-Stolen-Device
      Condition: Endpoints:LostOrStolen EQUALS True
      Result: DenyAccess
      SGT: N/A

    # =========================================================================
    # POSTURE NON-COMPLIANT RULES
    # =========================================================================

    Rule_Posture_NonCompliant:
      Name: Posture-Non-Compliant
      Condition:
        - Session:PostureStatus EQUALS NonCompliant
      Result: AuthZ-Quarantine
      SGT: Quarantine (999)

    Rule_Posture_Unknown:
      Name: Posture-Unknown
      Condition:
        - Session:PostureStatus EQUALS Unknown
        AND
        - Network Access:EapAuthentication EQUALS EAP-TLS OR Network Access:EapAuthentication EQUALS PEAP
      Result: AuthZ-Employee-Limited
      SGT: Quarantine (999)

    # =========================================================================
    # USER AUTHORIZATION RULES
    # =========================================================================

    # IT Administrators - Highest User Priority
    Rule_IT_Admin:
      Name: IT-Admin-Full-Access
      Condition:
        - CORP-AD:ExternalGroups CONTAINS IT-Admins
        AND
        - Network Access:EapChainingResult EQUALS User and machine both succeeded
        AND
        - Session:PostureStatus EQUALS Compliant
      Result: AuthZ-IT-Admin
      SGT: IT-Admins (14)

    # Executives
    Rule_Executive:
      Name: Executive-Full-Access
      Condition:
        - CORP-AD:ExternalGroups CONTAINS Executives
        AND
        - Network Access:EapChainingResult EQUALS User and machine both succeeded
        AND
        - Session:PostureStatus EQUALS Compliant
      Result: AuthZ-Executive-Full
      SGT: Executives (11)

    # HR Staff
    Rule_HR:
      Name: HR-Staff-Access
      Condition:
        - CORP-AD:ExternalGroups CONTAINS HR-Staff
        AND
        - Network Access:EapChainingResult EQUALS User and machine both succeeded
        AND
        - Session:PostureStatus EQUALS Compliant
      Result: AuthZ-HR-Staff
      SGT: HR (12)

    # Finance Staff
    Rule_Finance:
      Name: Finance-Staff-Access
      Condition:
        - CORP-AD:ExternalGroups CONTAINS Finance-Staff
        AND
        - Network Access:EapChainingResult EQUALS User and machine both succeeded
        AND
        - Session:PostureStatus EQUALS Compliant
      Result: AuthZ-Finance-Staff
      SGT: Finance (13)

    # Contractors
    Rule_Contractor:
      Name: Contractor-Access
      Condition:
        - CORP-AD:ExternalGroups CONTAINS Contractors
        AND
        - Network Access:EapAuthentication EQUALS PEAP
      Result: AuthZ-Contractor
      SGT: Contractors (15)

    # Standard Employees - EAP Chaining Success
    Rule_Employee_Full:
      Name: Employee-Full-Access
      Condition:
        - CORP-AD:ExternalGroups CONTAINS Domain Users
        AND
        - Network Access:EapChainingResult EQUALS User and machine both succeeded
        AND
        - Session:PostureStatus EQUALS Compliant
      Result: AuthZ-Employee-Full
      SGT: Employees (10)

    # Employees - User Auth Only (No Machine)
    Rule_Employee_User_Only:
      Name: Employee-User-Only
      Condition:
        - CORP-AD:ExternalGroups CONTAINS Domain Users
        AND
        - Network Access:EapChainingResult EQUALS User succeeded
      Result: AuthZ-Employee-Full
      SGT: Employees (10)

    # Domain Computer - Machine Only (No User Logged In)
    Rule_Domain_Computer:
      Name: Domain-Computer-Only
      Condition:
        - CORP-AD:ExternalGroups CONTAINS Domain Computers
        AND
        - Network Access:EapChainingResult EQUALS Machine succeeded
      Result: AuthZ-Domain-Computer
      SGT: Employees (10)

    # =========================================================================
    # DEVICE AUTHORIZATION RULES (MAB)
    # =========================================================================

    # Cisco IP Phones
    Rule_IP_Phone:
      Name: Cisco-IP-Phone
      Condition:
        - Endpoints:EndpointPolicy EQUALS Cisco-IP-Phone
        OR
        - Endpoints:EndpointPolicy EQUALS Cisco-IP-Phone-7800
        OR
        - Endpoints:EndpointPolicy EQUALS Cisco-IP-Phone-8800
      Result: AuthZ-Voice
      SGT: Voice (20)

    # Video Endpoints
    Rule_Video_Endpoint:
      Name: Video-Endpoint
      Condition:
        - Endpoints:EndpointPolicy EQUALS Cisco-Telepresence
        OR
        - Endpoints:EndpointPolicy EQUALS Cisco-Webex-Device
      Result: AuthZ-Video
      SGT: Video (21)

    # Network Printers
    Rule_Printer:
      Name: Network-Printer
      Condition:
        - Endpoints:EndpointPolicy CONTAINS Printer
        OR
        - Endpoints:EndpointPolicy EQUALS HP-Printer
        OR
        - Endpoints:EndpointPolicy EQUALS Xerox-Printer
      Result: AuthZ-Printer
      SGT: Printers (30)

    # Scanners/MFPs
    Rule_Scanner:
      Name: Scanner-MFP
      Condition:
        - Endpoints:EndpointPolicy CONTAINS Scanner
        OR
        - Endpoints:EndpointPolicy CONTAINS MFP
      Result: AuthZ-Scanner
      SGT: Scanners (31)

    # IoT Sensors
    Rule_IoT_Sensor:
      Name: IoT-Sensor
      Condition:
        - Endpoints:EndpointPolicy CONTAINS IoT-Sensor
        OR
        - Endpoints:EndpointPolicy CONTAINS Building-Sensor
      Result: AuthZ-IoT-Sensor
      SGT: IoT-Sensors (50)

    # HVAC Controllers
    Rule_HVAC:
      Name: HVAC-Controller
      Condition:
        - Endpoints:EndpointPolicy CONTAINS HVAC
        OR
        - Endpoints:EndpointPolicy CONTAINS BACnet
      Result: AuthZ-IoT-HVAC
      SGT: IoT-HVAC (51)

    # Lighting Systems
    Rule_Lighting:
      Name: Lighting-System
      Condition:
        - Endpoints:EndpointPolicy CONTAINS Lighting
        OR
        - Endpoints:EndpointPolicy CONTAINS Lutron
      Result: AuthZ-IoT-Lighting
      SGT: IoT-Lighting (52)

    # OT Devices
    Rule_OT:
      Name: OT-Device
      Condition:
        - Endpoints:EndpointPolicy CONTAINS OT-Device
        OR
        - Endpoints:EndpointPolicy CONTAINS SCADA
        OR
        - Endpoints:EndpointPolicy CONTAINS PLC
      Result: AuthZ-OT-Device
      SGT: OT-Devices (60)

    # IP Cameras
    Rule_Camera:
      Name: IP-Camera
      Condition:
        - Endpoints:EndpointPolicy CONTAINS Camera
        OR
        - Endpoints:EndpointPolicy EQUALS Axis-Camera
        OR
        - Endpoints:EndpointPolicy EQUALS Cisco-Video-Surveillance
      Result: AuthZ-Camera
      SGT: Cameras (70)

    # Badge Readers
    Rule_Badge_Reader:
      Name: Badge-Reader
      Condition:
        - Endpoints:EndpointPolicy CONTAINS Badge-Reader
        OR
        - Endpoints:EndpointPolicy CONTAINS Access-Control
      Result: AuthZ-Badge-Reader
      SGT: Badge-Readers (71)

    # =========================================================================
    # PROFILING IN PROGRESS
    # =========================================================================

    Rule_Profiling_InProgress:
      Name: Profiling-In-Progress
      Condition:
        - Radius:Service-Type EQUALS Call-Check
        AND
        - Endpoints:EndpointPolicy EQUALS Unknown
        AND
        - Endpoints:ProfilerAutoCreate EQUALS True
      Result: AuthZ-Unknown
      SGT: Unknown (998)

    # =========================================================================
    # DEFAULT RULES
    # =========================================================================

    # Unknown MAB Device
    Rule_Unknown_MAB:
      Name: Unknown-MAB-Device
      Condition:
        - Radius:Service-Type EQUALS Call-Check
      Result: AuthZ-Unknown
      SGT: Unknown (998)

    # Default Deny
    Rule_Default:
      Name: Default-Deny
      Condition: (Default)
      Result: DenyAccess
      SGT: N/A

3.2.9 Policy Sets - Wireless SD-Access

Complete Wireless Policy Set

# Policy > Policy Sets

Policy_Set_Wireless_SD_Access:

  Name: SD-ACCESS-WIRELESS
  Description: Policy set for SD-Access wireless fabric authentication
  Status: Enabled
  Rank: 2

  # Policy Set Condition
  Condition:
    - DEVICE:Device Type EQUALS Wireless_Controllers
    OR
    - Radius:Called-Station-ID CONTAINS Corp-Secure
    OR
    - Radius:Called-Station-ID CONTAINS Corp-Guest
    OR
    - Radius:Called-Station-ID CONTAINS Corp-IoT
    OR
    - Radius:Called-Station-ID CONTAINS Corp-Voice

  # Allowed Protocols
  Allowed_Protocols: SDA-Allowed-Protocols

  #############################################################################
  # AUTHENTICATION POLICY
  #############################################################################

  Authentication_Policy:

    # Rule 1: Corporate SSID - EAP-TLS
    Rule_Corp_EAP_TLS:
      Name: Corp-Secure-EAP-TLS
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - Network Access:EapAuthentication EQUALS EAP-TLS
      Identity_Store: Corp-Auth-Sequence
      If_User_Not_Found: REJECT

    # Rule 2: Corporate SSID - PEAP
    Rule_Corp_PEAP:
      Name: Corp-Secure-PEAP
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - Network Access:EapAuthentication EQUALS PEAP
      Identity_Store: Corp-Auth-Sequence
      If_User_Not_Found: REJECT

    # Rule 3: Guest SSID - MAB (pre-webauth)
    Rule_Guest_MAB:
      Name: Corp-Guest-MAB
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Guest
      Identity_Store: Guest-Auth-Sequence
      If_User_Not_Found: CONTINUE

    # Rule 4: IoT SSID - PSK with MAB
    Rule_IoT_MAB:
      Name: Corp-IoT-MAB
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-IoT
      Identity_Store: Endpoint-Auth-Sequence
      If_User_Not_Found: CONTINUE

    # Rule 5: Voice SSID
    Rule_Voice:
      Name: Corp-Voice-802.1X
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Voice
      Identity_Store: Corp-Auth-Sequence
      If_User_Not_Found: REJECT

    # Rule 6: Default
    Rule_Default:
      Name: Default
      Condition: (Default)
      Identity_Store: DenyAccess

  #############################################################################
  # AUTHORIZATION POLICY
  #############################################################################

  Authorization_Policy:

    # =========================================================================
    # CORPORATE WIRELESS (Corp-Secure SSID)
    # =========================================================================

    # IT Admins - Wireless
    Rule_IT_Admin_Wireless:
      Name: IT-Admin-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - CORP-AD:ExternalGroups CONTAINS IT-Admins
      Result: AuthZ-IT-Admin
      SGT: IT-Admins (14)

    # Executives - Wireless
    Rule_Executive_Wireless:
      Name: Executive-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - CORP-AD:ExternalGroups CONTAINS Executives
      Result: AuthZ-Executive-Full
      SGT: Executives (11)

    # HR Staff - Wireless
    Rule_HR_Wireless:
      Name: HR-Staff-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - CORP-AD:ExternalGroups CONTAINS HR-Staff
      Result: AuthZ-HR-Staff
      SGT: HR (12)

    # Finance Staff - Wireless
    Rule_Finance_Wireless:
      Name: Finance-Staff-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - CORP-AD:ExternalGroups CONTAINS Finance-Staff
      Result: AuthZ-Finance-Staff
      SGT: Finance (13)

    # Contractors - Wireless
    Rule_Contractor_Wireless:
      Name: Contractor-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - CORP-AD:ExternalGroups CONTAINS Contractors
      Result: AuthZ-Contractor
      SGT: Contractors (15)

    # Standard Employee - Wireless
    Rule_Employee_Wireless:
      Name: Employee-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Secure
        AND
        - CORP-AD:ExternalGroups CONTAINS Domain Users
      Result: AuthZ-Employee-Full
      SGT: Employees (10)

    # =========================================================================
    # GUEST WIRELESS (Corp-Guest SSID)
    # =========================================================================

    # Guest - Post Web Auth (Authenticated)
    Rule_Guest_Authenticated:
      Name: Guest-Authenticated
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Guest
        AND
        - IdentityGroup:Name EQUALS Guest_Sponsored
        AND
        - GuestUser:AUPAccepted EQUALS Yes
      Result: AuthZ-Guest-Sponsored
      SGT: Guests (40)

    # Guest - Self Registered
    Rule_Guest_Self_Reg:
      Name: Guest-Self-Registered
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Guest
        AND
        - IdentityGroup:Name EQUALS Guest_Self_Registered
      Result: AuthZ-Guest-Sponsored
      SGT: Guests (40)

    # Guest - Pre Web Auth (Redirect)
    Rule_Guest_PreAuth:
      Name: Guest-Pre-WebAuth
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Guest
      Result: AuthZ-Guest-WebAuth
      SGT: Guests (40)

    # =========================================================================
    # IOT WIRELESS (Corp-IoT SSID)
    # =========================================================================

    # IoT Sensors - Wireless
    Rule_IoT_Sensor_Wireless:
      Name: IoT-Sensor-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-IoT
        AND
        - Endpoints:EndpointPolicy CONTAINS IoT-Sensor
      Result: AuthZ-IoT-Sensor
      SGT: IoT-Sensors (50)

    # Unknown IoT
    Rule_IoT_Unknown:
      Name: IoT-Unknown-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-IoT
      Result: AuthZ-Unknown
      SGT: Unknown (998)

    # =========================================================================
    # VOICE WIRELESS (Corp-Voice SSID)
    # =========================================================================

    # Voice Devices
    Rule_Voice_Wireless:
      Name: Voice-Device-Wireless
      Condition:
        - Radius:Called-Station-ID CONTAINS Corp-Voice
      Result: AuthZ-Voice
      SGT: Voice (20)

    # =========================================================================
    # DEFAULT
    # =========================================================================

    Rule_Default:
      Name: Default-Wireless
      Condition: (Default)
      Result: DenyAccess

3.2.10 SGT Matrix Summary

SGT to Authorization Profile Mapping

SGT Value SGT Name Authorization Profile VN Assignment Use Case
10 (0x000A) Employees AuthZ-Employee-Full VN_CORPORATE Standard employees
11 (0x000B) Executives AuthZ-Executive-Full VN_CORPORATE Executive users
12 (0x000C) HR AuthZ-HR-Staff VN_CORPORATE HR department
13 (0x000D) Finance AuthZ-Finance-Staff VN_CORPORATE Finance department
14 (0x000E) IT-Admins AuthZ-IT-Admin VN_CORPORATE IT administrators
15 (0x000F) Contractors AuthZ-Contractor VN_CORPORATE External contractors
20 (0x0014) Voice AuthZ-Voice VN_VOICE IP phones
21 (0x0015) Video AuthZ-Video VN_VOICE Video endpoints
30 (0x001E) Printers AuthZ-Printer VN_CORPORATE Network printers
31 (0x001F) Scanners AuthZ-Scanner VN_CORPORATE MFPs/Scanners
40 (0x0028) Guests AuthZ-Guest-Sponsored VN_GUEST Guest users
41 (0x0029) Guest-Premium AuthZ-Guest-Premium VN_GUEST Premium guests
50 (0x0032) IoT-Sensors AuthZ-IoT-Sensor VN_IOT Building sensors
51 (0x0033) IoT-HVAC AuthZ-IoT-HVAC VN_IOT HVAC systems
52 (0x0034) IoT-Lighting AuthZ-IoT-Lighting VN_IOT Lighting systems
60 (0x003C) OT-Devices AuthZ-OT-Device VN_IOT OT/SCADA devices
70 (0x0046) Cameras AuthZ-Camera VN_IOT IP cameras
71 (0x0047) Badge-Readers AuthZ-Badge-Reader VN_IOT Access control
80 (0x0050) Servers-Prod (Static mapping) VN_SERVERS Production servers
81 (0x0051) Servers-DB (Static mapping) VN_SERVERS Database servers
82 (0x0052) Servers-Web (Static mapping) VN_SERVERS Web servers
83 (0x0053) Servers-App (Static mapping) VN_SERVERS App servers
90 (0x005A) Servers-Dev (Static mapping) VN_SERVERS Dev servers
91 (0x005B) Servers-Test (Static mapping) VN_SERVERS Test servers
998 (0x03E6) Unknown AuthZ-Unknown VN_CORPORATE Unknown devices
999 (0x03E7) Quarantine AuthZ-Quarantine VN_CORPORATE Non-compliant

3.2.11 CoA (Change of Authorization) Configuration

CoA Profile Settings

# Administration > Network Resources > Network Devices > Default Settings

CoA_Settings:

  CoA_Port: 1700
  CoA_Timeout: 5 seconds
  CoA_Retries: 2

  # CoA Types for SD-Access
  Supported_CoA_Types:
    - Reauthenticate (Session restart)
    - Terminate Session (Port bounce)
    - Port Bounce (Interface shut/no shut)
    - Push ACL (Dynamic ACL update)

  # ISE CoA Triggers
  CoA_Triggers:
    Posture_Assessment_Complete:
      Action: Reauthenticate
      Description: Re-authorize after posture compliance check

    Endpoint_Profile_Change:
      Action: Reauthenticate
      Description: Re-authorize after profiling update

    Identity_Group_Change:
      Action: Reauthenticate
      Description: Re-authorize after group membership change

    Manual_CoA:
      Action: Session Terminate
      Description: Administrator-initiated session termination

    Blacklist_Add:
      Action: Session Terminate
      Description: Immediate disconnect for blacklisted endpoint

3.2.12 Guest Portal Configuration

Self-Registered Guest Portal

# Work Centers > Guest Access > Portals & Components > Guest Portals

Guest_Portal_Self_Registration:

  Name: Corp-Guest-Self-Registration
  Description: Self-registration portal for visitors

  Portal_Settings:
    HTTPS_Port: 8443
    Allowed_Interfaces: All PSN interfaces
    Certificate_Group: Guest-Portal-Cert
    Authentication_Method: As a guest

  Login_Page_Settings:
    Include_AUP: Yes
    AUP_Text: "By using this network, you agree to..."
    Require_Scrolling: Yes
    Require_AUP_Acceptance: Yes

  Self_Registration_Settings:
    Registration_Code: Not required
    Guest_Type: Daily_Guest

    Required_Fields:
      - First Name
      - Last Name
      - Email Address
      - Phone Number
      - Company
      - Reason for Visit

    Optional_Fields:
      - SMS Provider

    Account_Duration:
      Default: 1 day
      Maximum: 5 days

    Sponsor_Notification:
      Notify_Sponsor: Yes
      Sponsor_Email: reception@corp.local

  Post_Login_Banner:
    Include_Banner: Yes
    Banner_Text: "Welcome to Corp Network. Limited internet access provided."

  Guest_Device_Registration:
    Allow_Registration: Yes
    Maximum_Devices: 3
# Work Centers > Guest Access > Portals & Components > Guest Portals

Guest_Portal_Sponsored:

  Name: Corp-Guest-Sponsored
  Description: Sponsor-approved guest access portal

  Portal_Settings:
    HTTPS_Port: 8443
    Authentication_Method: As a guest

  Sponsor_Portal:
    Name: Corp-Sponsor-Portal
    Access_Groups:
      - All_Employees (can sponsor)
      - Reception (can sponsor)

    Sponsor_Permissions:
      Create_Guest_Accounts: Yes
      Suspend_Guest_Accounts: Yes
      Reinstate_Guest_Accounts: Yes
      Extend_Guest_Accounts: Yes
      View_Guest_Passwords: Yes
      Send_Notification: Email, SMS

    Guest_Types_Allowed:
      - Daily Guest (1 day)
      - Weekly Guest (7 days)
      - Contractor Guest (30 days)

3.2.13 Profiler Configuration

Profiling Policies for SD-Access

# Work Centers > Profiler > Profiling Policies

Custom_Profiling_Policies:

  # Cisco IP Phone 8800 Series
  Cisco-IP-Phone-8800:
    Description: Cisco 8800 Series IP Phone
    Minimum_Certainty_Factor: 70

    Rules:
      Rule_1:
        Condition: DHCP:dhcp-class-identifier CONTAINS "Cisco Systems, Inc. IP Phone CP-88"
        Certainty_Factor: 40
      Rule_2:
        Condition: LLDP:lldp-system-description CONTAINS "Cisco IP Phone 88"
        Certainty_Factor: 30
      Rule_3:
        Condition: CDP:cdp-platform-type CONTAINS "Cisco IP Phone 88"
        Certainty_Factor: 30

    Parent_Policy: Cisco-IP-Phone
    Associated_CoA: REAUTH

  # Building Sensors
  Building-Sensor:
    Description: Building automation sensors
    Minimum_Certainty_Factor: 50

    Rules:
      Rule_1:
        Condition: DHCP:dhcp-class-identifier CONTAINS "BACnet"
        Certainty_Factor: 30
      Rule_2:
        Condition: MAC:MACAddress STARTSWITH 00:80:F4
        Certainty_Factor: 20
      Rule_3:
        Condition: NMAP:os-type CONTAINS "embedded"
        Certainty_Factor: 20

    Parent_Policy: IoT-Device
    Associated_CoA: REAUTH

  # IP Cameras - Axis
  Axis-Camera:
    Description: Axis IP surveillance cameras
    Minimum_Certainty_Factor: 60

    Rules:
      Rule_1:
        Condition: MAC:MACAddress STARTSWITH 00:40:8C
        Certainty_Factor: 30
      Rule_2:
        Condition: DHCP:dhcp-class-identifier CONTAINS "AXIS"
        Certainty_Factor: 30
      Rule_3:
        Condition: HTTP:user-agent CONTAINS "AXIS"
        Certainty_Factor: 20

    Parent_Policy: IP-Camera
    Associated_CoA: REAUTH

3.2.14 Policy Validation Checklist

Component Configuration Verified Date
Identity Sources
Active Directory join point
AD groups imported
Identity source sequences
Allowed Protocols
EAP-TLS enabled
PEAP enabled
EAP chaining enabled
Network Device Groups
Device types defined
Locations defined
Devices assigned
Conditions
Compound conditions created
Tested with policy trace
Authorization Profiles
All 25+ profiles created
SGT values correct
VN assignments correct
DACLs attached
Policy Sets
Wired policy set complete
Wireless policy set complete
Rule order verified
Guest Access
Self-registration portal
Sponsor portal
Guest types defined
Profiling
Custom policies created
Probes enabled (DHCP, CDP, LLDP)
Feed service enabled