ISE 2.3 - New Policy Sets

In this blog post, I'm going to go over the new policy sets in ISE 2.3. A lot of people have come to me and thought they would need to re-learn ISE for the new policy sets. Well, I have good news for you: While there are some enhancements, it's not really as initimating or new as you think. Are there enhancements? Sure! But much of what you know of policy sets are still the same. 


After upgrading to ISE 2.3, you're going to navigate to Policy>Policy Sets and notice a bit of a change! It looks a bit different now. The old Policy Set screen looked like this:

And now it looks like this:


You're probably wondering what happened to all your authentication and authorization rules! Fear not, they are still there. The view on the new Policy Set screen is just this part of the old Policy Sets:


You can still click the check box to add a new Policy Set here:


If you want to duplicate a policy set above or below an existing policy set, click on the gear next to the existing policy set here:


If you would like to create a new Allowed Protocols list, check the + sign next to the box for it and you'll be able to create one on the fly without having to exit Policy Sets:


If you want to view the Authentication/Authorization rules, you would click on the arrow on the right side to go into that specific policy set:


You will notice there are a few things different right away. The policies are all collapsed by default but you can easily expand them. You now have a Local Exceptions as well as a Global Exceptions policy if you choose to use it:

So far most of this is the same and just laid out differently. The REAL difference that seems to initimate long time ISE users is when you people is where you change or add a condition to an Authorization/Authentication rule and the new Conditions Studio pops up. It looks pretty intimidating at first as you can see:


WOW! That's really different, right? Don't worry. You can still create conditions the same old way you did in ISE before - just quicker. Think of it this way: The left side is the same as "Select Existing Condition from Library" in the old layout and the right side is "Create New Conditon (Advanced Option)" - Old look displayed below:


When you used to pick one from the old layout, you would have to slowly navigate through the nested conditions to find the attribute you wanted and if you had multiple attributes you knew you needed, it would take a while and whenever you accidentally clicked outside the box, you'd have to redo it:


Thankfully, it isn't this way anymore. If you click on the top box under the Editor, it will quickly pull up the available attributes:


If want to jump to a set of dictionary conditions, you can choose from the drop-down of available dictionaries on the left as you can see pictured below:


If you don't even want to bother and you have an idea of what your condition is, you can start to type it in on the right side instead and have everything containing those characters quickly pulled up instead:


Yes, you can QUICKLY add your attributes without having to go through tons of nested attributes slowly. This is a GOOD thing. It's not changing the nature of ISE or how to add the attributes, it's just making it EASIER and faster to get done. 


After you add a new attribute, click New to add another one: 


Now lets say you have a set of conditions you will want to reuse over and over again. Back in earlier versions of ISE, you could navigate to Policy>Policy Elements>Conditions and create your own compound conditions and then navigate BACK to Policy Sets and use them. Now you don't need to do that. The creators of ISE wanted to make it easier for you to do everything from the same screen so if you decide you have a set of compound conditions you would like to use again, you can click Save to save them in the Libary on the lefthand side of the Conditions studio:


Now when you want to reuse that compound condition in future rules, you just need to start to type it on the left side of the Conditions Studio to pull it up and then drag-and-drop it onto the right side:


Other enhancements to the rules and conditions is the ability to do multiple logical AND and OR statements such as below where am looking for the conditions of PEAP-EAP-TLS being used AND it's either coming from WLAN ID #1 OR WLAN ID #5. This makes it easier to trim down some rules and policy sets.


Another option in the policy sets is the ability to set a "Is NOT" qualifier if you choose to do so.


Again, this is in hopes of reducing duplicate rules so you don't have to create a rule for every different option. You can choose to continue doing policy sets and conditions the same old way as before. As I hope I've conveyed above, it's the same expect how it's laid out but there are some more easy options to enhance and trim down your rules a bit more. 

You will notice in the new policy sets that the creators of ISE wanted to make it easier to do things from policy sets and not have to switch screens to create your authorization profile or a new security group tag on the fly with a click of a button:


Hopefully you've found this blog post enjoyable and this has cleared up some of the misconceptions of the new policy sets. The end result is that you can continue to make conditions and policies as you used to if you want to change nothing at all - That's completely fine! If anything, the ISE makers just made it a bit faster to make those policies by getting rid of the nested conditions. But if you find yourself needing to create some more complex conditions, you now know your options.