1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.

htm

Lab 3: Policy Sets, Conditions Studio, and

Network Devices

Lab Overview
In this lab, you will work with Policy Sets, the Conditions Studio and Network Devices. Policy sets enable
you to logically group authentication and authorization policies within a single set name. They enable you
to create policies based on location, access type, or other similar parameters based on your
organizational needs. Policy sets are evaluated in a first match top down mode. Use the Conditions Studio
to create, manage and re-use conditions. Conditions can include more than one rule, and can be built
with any complexity including only one level, or multiple hierarchical levels. When using the Conditions
Studio to create new conditions, you can use the condition blocks previously stored in the Library and
you can also update and change those stored condition blocks. While creating and managing conditions
later, easily find the blocks and attributes that you need by using quick category filters, and more.

Estimated Completion Time

90 minutes

Lab Procedures
Examine the Default Policy Set

Work with the Conditions Studio

Add Network Devices

Create Additional Policy Sets

Perform Only If You Have Done a Reset.

If you have not done a reset, go to Task 1.
IMPORTANT

Students attending a live instructor-led training, regardless if in-class or virtual, would not have
performed a reset, unless directed to by the instructor. So, go directly to Task 1.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 1/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5-day course), you will need to prepare or verify the
environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Examine the Default Policy Set

In this task, you will examine the Default Policy Set including the current Authentication and
Authorization policies.

1. View the Default Policy Set Allowed Protocols.

1.1. Launch Google Chrome from the desktop of the Admin-PC.

Note:

All labs have been verified using Google Chrome to manage the ISE GUI.

1.2. Click the shortcut link on the toolbar labeled ISE.

1.3. Log in with username admin and password gklabs.

1.4. In the web console of ISE, navigate to Policy > Policy Sets, it should look as follows.

Note:

The Default Policy Set has no conditions (it is a catch all for sessions from all known network devices)
and allows the use of protocols defined in Default Network Access.

1.5. Navigate to Policy > Policy Elements > Results.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 2/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

1.6. In the navigator (to the left), expand Authentication > Allowed Protocols.

1.7. Select and edit Default Network Access; it should look as follows (shown with all options shown
collapsed).

Note:

Process Host Lookup is for MAB, PAP/ASCII is for VPN, and the various EAP protocols (shown collapsed
here) are for 802.1X. You will leave the defaults for now as they suffice for much of what you will be
doing.

2. View the Default Policy Set Authentication Policy.

2.1. Navigate back to Policy > Policy Sets and expand the Default Policy Set.

Note:

By default there are 3 Authentication Rules and 12 Authorization Rules.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 3/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

2.2. Expand the Authentication Policy, it should look as follows (shown with options expanded):

Status: Allows for Enabling, Disabling, and Monitoring of a rule. (When Monitoring, the rule
will be evaluated, but the result will not be enforced. You can view the results in Live Logs.)

Rule Name: Three rules make up the default Authentication Policy: MAB (wired or wireless),
Dot1X (802.1x) (wired or wireless) and a catch-all Default rule for everything else.

Conditions: Smart Conditions are used here as defined in the Conditions Library. You will use
it soon to create reusable conditions.

Use: The Identity Source or Identity Source Sequence used to authenticate the rule.

Options: Failure Options used for each rule.

REJECT: Sends a RADIUS Access-Reject Message back to the NAD. This is the default
on Authentication failure which happens when credentials are incorrect.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 4/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

CONTINUE: Allows the session to continue onto Authorization. This is also the
default for User not found (on MAB only) which is used for Centralized Web
Authentication and Guest Access scenarios.

DROP: Sends no message back to the NAD. This is the default on Process fail which
happens when an Identity Source doesn't respond to ISE.

Gear Icon: The Actions here allow for insertion, duplication, and deletion of rules in the
policy.

2.3. Click the OR in the MAB rule, which will take you to the Conditions Studio.

Note:

If, following a Reset, when opening the condition studio, the Loading icon is pulsing with no end, you
have to reset to the next lab: a ise reload won′t do it. This is a known 2.7 bug.

You may see a pop-up that illustrates how to use the Conditions Studio.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 5/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Note:

On the left side of the Conditions Studio is a list of conditions from the Library. You can drag to add
conditions to the Editor (area on right), or you can create new conditions in the Editor. Once editing is
done, you can choose save, to add a new condition in the Library, or use the condition without saving it
to the Library. Choosing the option Use will use the current condition in the associated rule.

2.4. If you see the pop-up, click anywhere in the pop-up to continue, and in the editor, note that the
conditions for the rule are displayed.

Note:

All current conditions in the Conditions Library are listed to the left. You can search for a condition by
name or click on the filter icon to filter by condition type.

2.5. In the Search by Name field type wired to see some pre-built conditions; your result should look
as follows:

2.6.
Delete the wired entry from the search box and click on the protocol icon. Your results should
look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 6/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

2.7. One at a time, click on the other icons to vary the filter of conditions. Clicking on any icon more
than once will toggle its selection.

2.8. In the Editor (to the right), without adding any additional conditions, pull down on the drop-down
next to OR to reveal the additional Boolean option of AND. DO NOT make any changes, leave the
selection at OR.

Note:

The arrows point to the x icons that can be used to delete a condition from the Editor. DO NOT DELETE
any of the conditions.

The option to save is available should you want to add the results to the condition library for later use.
DO NOT save.

2.9. Click Close and then OK to exit the Condition Studio and discard any changes made.

3. View the Default Policy Set Authorization Policy.

3.1. Back at the Policy > Policy Sets > Default window, expand the Authorization Policy. Take a minute
to examine the default ISE authorization rules.

Note:

There are numerous default authorization policies, too many to drill into detail on here. Over time, Cisco
has added more default authorization policies to provide examples from which to build. Many of these
policies are disabled by default and won′t have any effect on authorization until enabled. We will revisit
some of these in subsequent labs.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 7/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Status: Allows for Enabling, Disabling, and Monitoring of a rule. (When Monitoring, the rule
will be evaluated, but the result will not be enforced. You can view the results in the Live
Logs.)

Rule Name: Be descriptive here to indicate the intent of the rule.

Conditions: Allows for access to the Conditions Studio where ID Groups and Dictionary
Attributes, as well as pre-configured conditions can be specified.

Results: Allows for specifying the Authorization Profiles and/or Security Group assigned to the
rule.

Hits: Indicates how often the rule has been used. Refreshes every 15 minutes and can be
reset and manually refreshed by clicking on the # of hits.

Actions: The Actions here allow for insertion, duplication, and deletion of rules in the policy.

3.2. Examine the conditions of the Wireless Black List Default rule by clicking anywhere in the
conditions of the rule.

3.3. The Conditions Studio opens and the Editor should look as follows:

Note:

Two conditions exist; Wireless_Access AND the Blacklist Endpoint Identity Group.

3.4. Click the Wireless_Access condition. It will expand to reveal the options: Set to 'Is not',
information , Duplicate and Edit.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 8/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

3.5. Mouse over the information icon to reveal the underlying elements of the condition.

Note:

This is a simple condition made up of a single Attribute-Value from the Radius Dictionary. The form
shown: Dictionary:Attribute Operator Value, is used for all conditions defined in ISE.

3.6. Click the next Condition for Identity Group. You may see a pop-up with directions on how to use
the interface.

Note:

When working with specific attributes (as is the case here), you need to choose the appropriate
Dictionary, Attribute, and Value to fill in all the elements required.

3.7. If you do see the pop-up, click anywhere in the pop-up to continue.

3.8. Click the IdentityGroup Name field and pull down on All Dictionaries and select IdentityGroup.
There might be a slight delay for the pull down menu to appear.
https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 9/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

3.9. Once you have selected the IdentityGroup Dictionary, choose the Name attribute on the resulting
page.

3.10. Click in the Choose from list or type field, then select Blacklist.

3.11. The resulting condition should look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 10/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

3.12. Click Close and OK to discard any changes to the authorization rule conditions.

Task 2: Work with the Conditions Studio

In this task, you examine the Condition Studio and add a condition to be used in a later lab.

4. Access the Conditions Studio and view Smart conditions.

4.1. Navigate to Policy > Policy Elements > Conditions.

4.2. In the navigator to the left, click Smart Conditions; it should look as follows.

Note:

Policy conditions are created and maintained in the Conditions Studio Library. Upon initial installation,
Cisco ISE includes predefined smart conditions that you can easily use when configuring your policy sets
and rules, and that are used in the predefined authentication and authorization rules.

4.3. Click Wired_802.1X to reveal the underlying elements of the Smart Condition.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 11/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Note:

The smart condition is made up of two Attribute-Value pairs from the Radius dictionary. NAS-Port-Type
= Ethernet (wired), and Service-Type=Framed (802.1X). The condition is a match for Wired AND 802.1X.

This smart condition is also applicable to third party vendors: Alcatel, HP, and Brocade.

4.4. Close the smart condition.

5. Create a condition in the Conditions Studio.

5.1. Click Library Conditions in the navigator.

5.2. You will create the following condition, explained in the next few steps:

Field Value

DictionaryAirespace

Attribute Airespace-Wlan-Id

Operator Equals

Value 1

5.3. In the Editor (to the right), click the field Click to add an attribute. The select attribute for
condition window should drop-down. In All dictionaries, pull down and select Airespace.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 12/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

5.4. Next, select the attribute Airespace-Wlan-Id (at the bottom of the list).

5.5. With the operator set to Equals type in a value of 1 (the number 1) into the Attribute Value field.
Your condition should look as follows.

5.6. Click Save and fill in as follows.

Save as a new Library Condition: WLAN_ID_1

Description: Employees SSID uses WLAN 1

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 13/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

5.7. Click Save and then click the WiFi icon to filter the conditions in the library. Your output should
look as follows.

6. Create additional Conditions in the Library from the Default Policy Set.

One feature that is still not available in ISE 2.7 is the ability to copy rules from one Policy Set to another.
For now, we will take advantage of the Conditions Library to store the conditions associated with the
default rules so that we can easily reference them later.

6.1. Navigate to Policy > Policy Sets > Default > Authorization Policy.

6.2. Click the Conditions for Wireless Black List Default (the first rule in the policy). You should see the
following:

6.3. Click Save, and select Save as a New Library Condition. Name the Condition Wireless Blacklist,
and then save it.

6.4. In the Library, click the Identity Group icon and then mouse over the information icon. It should
look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 14/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Note:

You have successfully added a new condition to the Library.

6.5. In the Conditions Studio, click Close and OK to discard the change currently queued up in the
Editor.

Note:

Although you created a new condition in the Library, you have not chosen to use it yet. You will use it in
subsequent labs.

6.6. You will now repeat the above process for the following Authorization rules and Conditions. For
each rule name, do as follows:

From the Default Policy Set window, expand Authorization Policy.

One-by-one, click in the Conditions box for a Rule listed in the table below. The condition
studio should open.

Once in Condition Studio, under Editor, click Save to open the Save condition window.

Select Save as a new Library Condition and type in the condition name shown in the table
below for that specific rule. Click Save.

Back in the Condition Studio, click Close and OK to discard the rule change. Don′t worry: you
are discarding the rule change, which you haven′t changed really, not the condition that you
just saved.

6.7. Repeat the process for every rule shown in the table below:

Rule Name Condition Name

Profiled Cisco IP PhonesProfiled Cisco IP Phones

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 15/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Employee_EAP_TLS Employee EAP TLS

Employee_Onboarding Employee Onboarding

Wi-Fi_Guest_Access WiFi Guest

6.8. When you are finished, navigate to Policy > Policy Elements > Conditions and verify that the
Conditions Library show the following. When using Search by Name, deselect the icons below the
search box.

Note:

You have added five new conditions to the library for later use.

Task 3: Add Network Devices

In this task, you will add Network Access Device Groups and Network Access Devices.

7. Create network access device groups.

7.1. Navigate to Work Centers > Network Access > Network Resources > Device Groups (or
Administration > Network Resources > Network Device Groups).

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 16/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

7.2. Select All Device Types and click Add and separately create the following network device groups.

Name Description Parent Group

Wired Wired Access SwitchesAll Device Types

WirelessWLCs All Device Types

VPN VPN Access Devices All Device Types

7.3. Select All Locations and click Add and separately create the following network device group
locations.

Name Description Parent Group

HQ Headquarters All Locations

BranchBranch Office All Locations

Test IT Test NetworkAll Locations

7.4. When complete, your configuration should look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 17/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

8. Configure the L3-Switch as a Network Device in ISE.

8.1. In ISE, navigate to Work Centers > Network Access > Network Resources > Network Devices (or
Administration > Network Resources > Network Devices).

8.2. Click Add to configure a new network device using the following information.

Field Value

Name L3-Switch

Description 3560-X Access Switch

IP Address 10.10.2.1 /32

Device Profile Cisco

Model Name Cisco_3560X

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 18/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Software Version 15.2

Network Device Group

Location Test

IPSEC No

Device Type Wired

RADIUS Authentication Settings

Shared Secret sharedsecret

8.3. Click Show to confirm the shared secret and then click Submit.

Note:
https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 19/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

We′ll come back to the TACACS+ and SNMP settings later. The SNMP settings are used for policy
querying (collection technique) from ISE when performing Profiling. Also, you will set the Location as
Test to allow for testing out a feature called Passive Identity. You will see that Device Groups can play an
important role when determining which Policy Set ISE will use for a session.

Using the Import method provided here, you can import Network Devices and their respective
credentials simultaneously.

9. Configure the WLC as a Network Device in ISE.

Note:

Pay special attention to the WLC configuration: it has two IP addresses.

9.1. Click Add to configure a new network device using the following information.

Field Value

Name WLC

Description Virtual WLC

IP Address (careful here, you have two addresses to add for the 10.10.2.80 /32
WLC as a NAD)
10.10.10.2 /32

Add second IP address with Insert new row

below.

Device Profile Cisco

Model Name Virtual_WLC

Software Version 8.4

Network Device Group

Location HQ

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 20/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

IPSEC No

Device Type Wireless

RADIUS Authentication Settings

Shared Secret sharedsecret

9.2. Click Show to confirm the shared secret and then click Submit.

10. Configure the HQ-ASA as a Network Device in ISE.

10.1. Click Add to configure a new network device using the following information.

Field Value

Name HQ-ASA
https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 21/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Description 5515-X ASA

IP Address 10.10.0.1 /32

Device Profile Cisco

Model Name 5515-X

Software Version 9.4

Network Device Group

Location HQ

IPSEC No

Device Type VPN

RADIUS Authentication Settings

Shared Secret sharedsecret

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 22/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

10.2. Click Show to confirm the shared secret and then click Submit.

10.3. Your Network Devices list should look as follows.

Task 4: Create Additional Policy Sets

11. Create policy sets for wireless, wired, and VPN.

11.1. Navigate to Policy > Policy Sets.

11.2. Click the + (plus sign) below the label Policy Sets, to create a policy set above the Default set and
configure by clicking on the respective fields to change or insert the values shown in the table.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 23/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Note:

Use the Conditions Studio for the Condition below. Click + in the condition field to access the Condition
Studio. Click in the box Click to add an attribute. Then use the All Dictionaries drop-down menu to
select the dictionary and adjust the attribute, Operator and Value by clicking on Choose from list or
type. Remember to click Use instead of Save in the Conditions Studio. You want to Use the Condition
you create in the Studio, but you do not want to save it to the Library.

Field Value

Policy Set Name [currently showing: New Wireless

Policy Set 1]

Description Wireless Access

Conditions Dictionary DEVICE

[IMPORTANT:read Note
above] Attribute Device Type

Operator EQUALS

Value All Device Types#Wireless (pay attention: select Wireless). Click

Use.

Allowed Protocols Default Network Access (selected once back in the Policy Sets
window, by clicking on Select from list)

11.3. Your Policy Sets should look as follows.

11.4. Click the + (plus sign) below the label Policy Sets, to create a policy set above Wireless, and
configure as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 24/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Field Value

Policy Set Name Wired

Description Wired Access

Conditions DictionaryDEVICE

[IMPORTANT: Read Note

above] Attribute Device Type

Operator EQUALS

Value All Device Types#Wired (pay attention: select Wired). Click Use.

Allowed Protocols Default Network Access (selected once back in the Policy Sets window,
by clicking on Select from list)

11.5. Your Policy Sets should look as follows.

11.6. Click the + (plus sign) below the label Policy Sets, to create a policy set above Wired, and
configure as follows.

Field Value

Policy Set Name VPN

Description VPN Access

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 25/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

ConditionsDictionaryDEVICE

Attribute Device Type

Operator EQUALS

Value All Device Types#VPN (pay attention: select VPN). Click Use.

Allowed Protocols Default Network Access (selected once back in the Policy Sets window, by clicking on
Select from list)

11.7. When finished, click Save at the bottom right of the Policy Sets window. Your Policy Sets should
look as follows.

12. Reorder the Policy Sets.

Policy Sets are processed top to bottom. We want to move the VPN Policy set to the bottom (just before
Default).

12.1. Drag the VPN Policy to the bottom of the List by selecting the icon to the left of the Status icon.

12.2. When your Policy Sets look as follows click Save.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 26/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

13. Create a policy set for Passive Identity (Easy Connect).

In a subsequent lab, you will be testing out a feature of ISE called Passive Identity (Easy Connect). Here,
you will set up the Policy set to allow ISE to process Passive Identity sessions from NADs that are Wired
AND on the Test network. This is an effective way to test out features in a production ISE environment
while limiting the scope of the test.

13.1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols.

13.2. Click Add and fill in as follows.

Name: Host Lookup Only

Allowed Protocols: Select Only Process Host Lookup

Note:

You will need to clear all options other than Process Host Lookup. Currently Passive Identity works
exclusively via MAB (Host Lookup). Collapsing each protocol and clearing the top level will suffice. You
might need to click precisely in the middle of the square to successfully disable a protocol.

13.3. Click Submit.

13.4. In ISE, navigate to Policy > Policy Sets.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 27/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

13.5. Click the + (plus sign) below the label Policy Sets, to create a policy set above Wired and configure
as follows.

Note:

In the Conditions Studio, after adding the first condition, click New to add the second condition and fill
in accordingly. Remember to click Use to use the resulting condition. The Allowed Protocols will be
selected once back in the Policy Sets window.

Field Value

Policy Set Name Passive Identity

Description Easy Connect Access

DictionaryDEVICE

Attribute Device Type

Condition
1
Operator EQUALS

Value All Device Types#Wired

AND

[Read Note DictionaryDEVICE

above]
Attribute Location
Condition
2
Operator EQUALS

Value All Locations#Test. Click Use.

Allowed Protocols Host Lookup Only (selected once back in the Policy Sets window, by
clicking on Select from list)

13.6. Your Policy Set should look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 28/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

13.7. Click Save to commit your changes. Your Policy set order should look as follows.

Note:

Remember that Policy sets are processed in a top-down fashion. First hit determines the Policy Set used
for the session.

14. Configure the Authentication Policy rules of the new Policy Sets.

14.1.
Expand the Passive Identity Policy Set and then expand the Authentication
Policy. It should look as follows.

14.2. Click the in the middle of the new rule to add a new rule and fill in as follows.

Field Value

Rule Name MAB

Condition Wired_MAB (first, Search by Name for Wired. Then, drag and drop in the Conditions
Studio. Then, click Use.)

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 29/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Use Internal Endpoints

Options

If Auth fail REJECT

If User not CONTINUE

found

If Process fail DROP

14.3. The Passive Identity Authentication Policy should look as follows.

14.4. Save to commit your changes, then click Policy Sets to view all sets.

14.5. Expand the Wired Policy Set by clicking on the > on the right of that specific policy. Expand the
Authentication Policy. Click on the + sign in the middle of the new rule to add the following.

Field Value

Rule Name DOT1X

Condition Wired_802.1X (Click on Search by Name. Type Wired… Drag and drop Library Condition in
the Conditions Studio). Click Use.

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 30/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

Use All_User_ID_Stores

If Auth fail REJECT

If User not REJECT (It is NOT configured as the MAB rule)

found

If Process fail DROP

14.6. Add a second rule above (gear icon > Insert new row above)

Field Value

Rule Name MAB

Condition Wired_MAB (Drag and drop Library Condition in the Conditions Studio). Click Use.

Use Internal Endpoints

If Auth fail REJECT

If User not foundCONTINUE

If Process fail DROP

14.7. The Wired Authentication Policy should look as follows.

14.8. Click Save to commit your changes, then click Policy Sets to view all sets.
https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 31/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

14.9. Expand the Wireless Policy Set by clicking the > on the right of that specifi policy and add the
following Authentication Rule. Expand the Authentication Policy and click on the + sign in the
middle of the window.

Field Value

Rule Name DOT1X

Condition Wireless_802.1X (Drag and drop Library Condition in the Conditions Studio). Click Use.

Use All_User_ID_Stores

If Auth fail REJECT

If User not foundREJECT (NOT the same as MAB)

If Process fail DROP

14.10. Add a second rule above (gear icon > Insert new row above).

Field Value

Rule Name MAB

Condition Wireless_MAB (Drag and drop Library Condition in the Conditions Studio). Click Use.

Use Internal Endpoints

If Auth fail REJECT

If User not foundCONTINUE

If Process fail DROP

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 32/33
1/8/23, 1:04 PM https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm

14.11. The Wireless Authentication Policy should look as follows.

14.12. Click Save to commit your changes.

Note:

There is no need to modify the VPN Policy Set. It will be OK with the Default Authentication Policy.

Lab complete

https://www.remotelabs.com/ldhtm/Gb/cisco/4879c/4879_03.htm 33/33