Quantcast
Channel: My Home NW Lab
Viewing all articles
Browse latest Browse all 44

Cisco ISEでPolicy SetsをXMLとしてExport

December 31, 2024, 9:50 am
$
0
0

Cisco ISEはPolicy Setsの設定情報をXMLとしてExportできます。ただし、v3.4時点でWeb UIからのImportには非対応です。

Importはできないため活用範囲は限定されますが、Web UIによる設定がメインの製品のため、(検証時やサポート問い合わせ時に)テキスト情報として設定を控えたい時に便利です。

本記事の画面キャプチャはVersionは 3.3.0.430 がベースとなっています。

Export方法

  • Web UIのメニューより Administration > System > Backup & Restoreに移動します。

    メニュー: Administration > System > Backup & Restore

  • Policy Exportの画面に移動します。下記のパラメータを指定して Export Nowを押下すると、ファイルのダウンロードが開始します。

    設定項目 設定値
    Encryption Export without encryption
    Destination Download file to local computer

    Policy Export

関連ドキュメント

下記より該当Versionの Administrator Guide を探して Export Authentication and Authorization Policy Configurationを参照します。

Cisco Identity Services Engine - Configuration Guides - Cisco
https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-and-configuration-guides-list.html

執筆時点で代表的なVersionを記載しておきます。

v3.4

Cisco Identity Services Engine Administrator Guide, Release 3.4 - Maintain and Monitor [Cisco Identity Services Engine] - Cisco
https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/admin_guide/b_ise_admin_3_4/b_ISE_admin_maintain_monitor.html#task_D331E4929EAC4AE690B0450A467CEC49

v3.3

Cisco Identity Services Engine Administrator Guide, Release 3.3 - Maintain and Monitor [Cisco Identity Services Engine] - Cisco
https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_maintain_monitor.html#task_D331E4929EAC4AE690B0450A467CEC49

v3.2

Cisco Identity Services Engine Administrator Guide, Release 3.2 - Maintain and Monitor [Cisco Identity Services Engine] - Cisco
https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_33_maintain_monitor.html#task_D331E4929EAC4AE690B0450A467CEC49

v3.1

Cisco Identity Services Engine Administrator Guide, Release 3.1 - Maintain and Monitor [Cisco Identity Services Engine] - Cisco
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_maintain_monitor.html#task_D331E4929EAC4AE690B0450A467CEC49

v3.0

Cisco Identity Services Engine Administrator Guide, Release 3.0 - Maintain and Monitor [Cisco Identity Services Engine] - Cisco
https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_maintain_monitor.html#task_D331E4929EAC4AE690B0450A467CEC49

XMLファイル (PolicyConfig.xml)のサンプル

下記はデフォルト状態のPolicy SetsをExportした例です。

<?xml version="1.0" encoding="UTF-8"?><Root>
  <policysets>
    <radiusPolicySets>
      <radiusPolicySet>
        <condition/>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Wireless_Access</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <lhsAttribute>Name</lhsAttribute>
                <rhsAttribute>Endpoint Identity Groups:Blocked List</rhsAttribute>
                <rhsDictionary/>
                <isNot>false</isNot>
                <lhsDictionary>IdentityGroup</lhsDictionary>
                <type>SINGLE</type>
                <operator>EQUALS</operator>
              </children>
              <type>AND_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Wireless Block List Default</name>
          <profiles>Block_Wireless_Access</profiles>
          <rank>0</rank>
          <id>773acc1f-2c3f-42f0-a93f-0a32499b6996</id>
          <status>ENABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <lhsAttribute>Name</lhsAttribute>
              <rhsAttribute>Endpoint Identity Groups:Profiled:Cisco-IP-Phone</rhsAttribute>
              <rhsDictionary/>
              <isNot>false</isNot>
              <lhsDictionary>IdentityGroup</lhsDictionary>
              <type>SINGLE</type>
              <operator>EQUALS</operator>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Profiled Cisco IP Phones</name>
          <profiles>Cisco_IP_Phones</profiles>
          <rank>1</rank>
          <id>e8a2a0f8-2111-4be4-8efd-fa634401a34d</id>
          <status>ENABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <refId>Non_Cisco_Profiled_Phones</refId>
              <type>REFERENCE</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Profiled Non Cisco IP Phones</name>
          <profiles>Non_Cisco_IP_Phones</profiles>
          <rank>2</rank>
          <id>b5c2e8ef-b196-4d14-a48d-1d1ff5b9fc03</id>
          <status>ENABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Network_Access_Authentication_Passed</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>Compliance_Unknown_Devices</refId>
                <type>REFERENCE</type>
              </children>
              <type>AND_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Unknown_Compliance_Redirect</name>
          <profiles>Cisco_Temporal_Onboard</profiles>
          <rank>3</rank>
          <id>0cf4098a-f38d-4731-ad9d-a43c6fcde07b</id>
          <status>DISABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Network_Access_Authentication_Passed</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>Non_Compliant_Devices</refId>
                <type>REFERENCE</type>
              </children>
              <type>AND_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>NonCompliant_Devices_Redirect</name>
          <profiles>Cisco_Temporal_Onboard</profiles>
          <rank>4</rank>
          <id>cc24a1da-7898-46c4-a7df-db4f3706574e</id>
          <status>DISABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Network_Access_Authentication_Passed</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>Compliant_Devices</refId>
                <type>REFERENCE</type>
              </children>
              <type>AND_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Compliant_Devices_Access</name>
          <profiles>PermitAccess</profiles>
          <rank>5</rank>
          <id>4ec8ea41-9033-4bd1-a242-9293212333b3</id>
          <status>DISABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Wireless_802.1X</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>BYOD_is_Registered</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>EAP-TLS</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>MAC_in_SAN</refId>
                <type>REFERENCE</type>
              </children>
              <type>AND_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Employee_EAP-TLS</name>
          <profiles>PermitAccess</profiles>
          <rank>6</rank>
          <groups>BYOD</groups>
          <id>9c6bc0ba-e113-44e2-8ff1-b43848859a6c</id>
          <status>DISABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Wireless_802.1X</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>EAP-MSCHAPv2</refId>
                <type>REFERENCE</type>
              </children>
              <type>AND_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Employee_Onboarding</name>
          <profiles>NSP_Onboard</profiles>
          <rank>7</rank>
          <groups>BYOD</groups>
          <id>0ac9ef07-c9c2-4ead-ab6c-c2887d6c1fb8</id>
          <status>DISABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Guest_Flow</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>Wireless_MAB</refId>
                <type>REFERENCE</type>
              </children>
              <type>AND_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Wi-Fi_Guest_Access</name>
          <profiles>PermitAccess</profiles>
          <rank>8</rank>
          <groups>Guests</groups>
          <id>c0b7b26a-73c9-4886-abb8-b0f9a606bb6d</id>
          <status>DISABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <refId>Wireless_MAB</refId>
              <type>REFERENCE</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Wi-Fi_Redirect_to_Guest_Login</name>
          <profiles>Cisco_WebAuth</profiles>
          <rank>9</rank>
          <id>416507a7-22f1-4e4a-a911-af788b9d7aee</id>
          <status>DISABLED</status>
        </authorRules>
        <authorRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <refId>Network_Access_Authentication_Passed</refId>
              <type>REFERENCE</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <name>Basic_Authenticated_Access</name>
          <profiles>PermitAccess</profiles>
          <rank>10</rank>
          <id>ba3df86d-fa67-42cd-996b-3c14c13a01a4</id>
          <status>ENABLED</status>
        </authorRules>
        <authorRules>
          <condition/>
          <name>Default</name>
          <profiles>DenyAccess</profiles>
          <rank>11</rank>
          <id>b13f6428-21a4-46b6-87fe-56d2f615b10c</id>
          <status>ENABLED</status>
        </authorRules>
        <name>Default</name>
        <description>Default policy set</description>
        <rank>0</rank>
        <id>3c7ceaca-98ea-43cc-8776-43997a13ee7f</id>
        <allowedProtocols>Default Network Access</allowedProtocols>
        <status>ENABLED</status>
        <authenRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Wired_MAB</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>Wireless_MAB</refId>
                <type>REFERENCE</type>
              </children>
              <type>OR_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <storetype>IdentityStore</storetype>
          <processfailaction>DROP</processfailaction>
          <usernotfoundaction>CONTINUE</usernotfoundaction>
          <name>MAB</name>
          <rank>0</rank>
          <storename>Internal Endpoints</storename>
          <id>ab4f62fc-5092-4085-94a4-3fb1f1494916</id>
          <authenfailaction>REJECT</authenfailaction>
          <status>ENABLED</status>
        </authenRules>
        <authenRules>
          <condition>
            <isNot>false</isNot>
            <children>
              <isNot>false</isNot>
              <children>
                <isNot>false</isNot>
                <refId>Wired_802.1X</refId>
                <type>REFERENCE</type>
              </children>
              <children>
                <isNot>false</isNot>
                <refId>Wireless_802.1X</refId>
                <type>REFERENCE</type>
              </children>
              <type>OR_BLOCK</type>
            </children>
            <type>AND_BLOCK</type>
          </condition>
          <storetype>IdentityStoreSequence</storetype>
          <processfailaction>DROP</processfailaction>
          <usernotfoundaction>REJECT</usernotfoundaction>
          <name>Dot1X</name>
          <rank>1</rank>
          <storename>All_User_ID_Stores</storename>
          <id>86351382-d6d7-4469-abae-5ca55d6bf646</id>
          <authenfailaction>REJECT</authenfailaction>
          <status>ENABLED</status>
        </authenRules>
        <authenRules>
          <condition/>
          <storetype>IdentityStoreSequence</storetype>
          <processfailaction>DROP</processfailaction>
          <usernotfoundaction>REJECT</usernotfoundaction>
          <name>Default</name>
          <rank>2</rank>
          <storename>All_User_ID_Stores</storename>
          <id>50b08ec7-38c4-4adb-9fcf-67e0991cd081</id>
          <authenfailaction>REJECT</authenfailaction>
          <status>ENABLED</status>
        </authenRules>
      </radiusPolicySet>
    </radiusPolicySets>
    <tacacsPolicySets>
      <tacacsPolicySet>
        <condition/>
        <authorRules>
          <condition/>
          <name>Default</name>
          <profiles>Deny All Shell Profile</profiles>
          <rank>0</rank>
          <commandsets>DenyAllCommands</commandsets>
          <id>1bb1ea9b-636f-4cac-af03-064d25b0a104</id>
          <status>ENABLED</status>
        </authorRules>
        <name>Default</name>
        <description>Tacacs Default policy set</description>
        <rank>0</rank>
        <id>eb6136b9-a5f3-44b0-b875-075aee522cc9</id>
        <allowedProtocols>Default Device Admin</allowedProtocols>
        <status>ENABLED</status>
        <authenRules>
          <condition/>
          <storetype>IdentityStoreSequence</storetype>
          <processfailaction>DROP</processfailaction>
          <usernotfoundaction>REJECT</usernotfoundaction>
          <name>Default</name>
          <rank>0</rank>
          <storename>All_User_ID_Stores</storename>
          <id>a9c396be-5a9c-4041-9460-052bc3771324</id>
          <authenfailaction>REJECT</authenfailaction>
          <status>ENABLED</status>
        </authenRules>
      </tacacsPolicySet>
    </tacacsPolicySets>
  </policysets>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>RadiusFlowType</lhsAttribute>
          <rhsAttribute>Wireless802_1x</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Normalised Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Wireless_802.1X</name>
      <description>A condition to match 802.1X based authentication requests from wireless LAN controllers, according to the corresponding 802.1x attributes defined in the device profile.</description>
      <id>8033ff8b-f474-48f8-9182-f3f2800146b8</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>RadiusFlowType</lhsAttribute>
          <rhsAttribute>WiredWebAuth</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Normalised Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Switch_Web_Authentication</name>
      <description>A condition to match requests for web authentication from switches, according to the corresponding Web Authentication attributes defined in the device profile.</description>
      <id>7b1a7c68-55fb-49b0-be2c-9f217694aa08</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>RadiusFlowType</lhsAttribute>
          <rhsAttribute>WiredMAB</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Normalised Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Wired_MAB</name>
      <description>A condition to match MAC Authentication Bypass service based authentication requests from switches, according to the corresponding MAB attributes defined in the device profile.</description>
      <id>f24fad22-3b37-47ad-9e4e-be442c5dc39a</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>RadiusFlowType</lhsAttribute>
          <rhsAttribute>Wired802_1x</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Normalised Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Wired_802.1X</name>
      <description>A condition to match 802.1X based authentication requests from switches, according to the corresponding 802.1x attributes defined in the device profile.</description>
      <id>318cead8-f039-4db8-8d48-e903abadb695</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>RadiusFlowType</lhsAttribute>
          <rhsAttribute>WirelessMAB</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Normalised Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Wireless_MAB</name>
      <description>A condition to match MAC Authentication Bypass service based authentication requests from wireless LAN controllers, according to the corresponding MAB attributes defined in the device profile.</description>
      <id>97f0db59-7725-4573-8fb0-aad88dd9efec</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>RadiusFlowType</lhsAttribute>
          <rhsAttribute>WirelessWebAuth</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Normalised Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>WLC_Web_Authentication</name>
      <description>A condition to match requests for web authentication from wireless LAN controllers, according to the corresponding Web Authentication attributes defined in the device profile.</description>
      <id>f5571dec-e712-4504-a98e-a3d7860c0437</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>PostureStatus</lhsAttribute>
          <rhsAttribute>Unknown</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Session</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Compliance_Unknown_Devices</name>
      <description>Default condition for unknown compliance devices</description>
      <id>4f1abfa3-843d-4268-9b71-7e0f59d5ab98</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>PostureStatus</lhsAttribute>
          <rhsAttribute>NonCompliant</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Session</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Non_Compliant_Devices</name>
      <description>Default condition for non-compliant devices</description>
      <id>4c139e85-01e3-4f62-9ab5-2752dfd87add</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>PostureStatus</lhsAttribute>
          <rhsAttribute>Compliant</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Session</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Compliant_Devices</name>
      <description>Default condition for compliant devices</description>
      <id>473c5330-dc7b-4364-9f72-0a2390041186</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>LogicalProfile</lhsAttribute>
          <rhsAttribute>IP-Phones</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>EndPoints</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Non_Cisco_Profiled_Phones</name>
      <description>Default condition used to match Non Cisco IP Phones</description>
      <id>026fe326-c2b8-4c71-bae8-6a0d41b54f31</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>Service-Type</lhsAttribute>
          <rhsAttribute>Outbound</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <children>
          <lhsAttribute>NAS-Port-Type</lhsAttribute>
          <rhsAttribute>Ethernet</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Switch_Local_Web_Authentication</name>
      <description>A condition to match authentication requests for Local Web Authentication from Cisco Catalyst Switches</description>
      <id>0341268c-feef-4154-976b-c59ef93bc5c0</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>Cisco-5g-serving-network-name</lhsAttribute>
          <rhsAttribute>5G:</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Cisco</lhsDictionary>
          <type>SINGLE</type>
          <operator>STARTS_WITH</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>5G</name>
      <description>A condition to match 5G</description>
      <id>6dec1b16-9c8e-43e8-be4b-86f0b001bf68</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>Service-Type</lhsAttribute>
          <rhsAttribute>Outbound</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <children>
          <lhsAttribute>NAS-Port-Type</lhsAttribute>
          <rhsAttribute>Ethernet</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Catalyst_Switch_Local_Web_Authentication</name>
      <description>Default condition used to match authentication requests for Local Web Authentication from Cisco Catalyst Switches</description>
      <id>63c42696-7390-4b23-8596-0e2ccd615e93</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>NAS-Port-Type</lhsAttribute>
          <rhsAttribute>Wireless - IEEE 802.11</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Radius</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Wireless_Access</name>
      <description>Default condition used to match any authentication request from Cisco Wireless LAN Controller.</description>
      <id>f488dbd7-a207-48c5-a183-68e812598948</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>BYODRegistration</lhsAttribute>
          <rhsAttribute>Yes</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>EndPoints</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>BYOD_is_Registered</name>
      <description>Default condition for BYOD flow for any device that has passed the NSP process</description>
      <id>8aed6feb-a1f0-464c-ac5a-cccbf13f2b7b</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>EapAuthentication</lhsAttribute>
          <rhsAttribute>EAP-MSCHAPv2</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Network Access</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>EAP-MSCHAPv2</name>
      <description>Default condition for BYOD Onboarding flow</description>
      <id>c8973541-6236-404f-b6c6-e889d6ab02b8</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>EapAuthentication</lhsAttribute>
          <rhsAttribute>EAP-TLS</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Network Access</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>EAP-TLS</name>
      <description>Default condition for BYOD flow for any device that has passed the NSP process</description>
      <id>0534eab1-2aab-4a6f-84f7-065e29462e33</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>UseCase</lhsAttribute>
          <rhsAttribute>Guest Flow</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Network Access</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Guest_Flow</name>
      <description>Default condition for guest flow</description>
      <id>33015f26-3acf-4366-9241-a37ab2ca6d6b</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>Subject Alternative Name</lhsAttribute>
          <rhsAttribute>Subject Alternative Name</rhsAttribute>
          <rhsDictionary>CERTIFICATE</rhsDictionary>
          <isNot>false</isNot>
          <lhsDictionary>CERTIFICATE</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>MAC_in_SAN</name>
      <description>Default condition for BYOD flow for any device that has passed the NSP process</description>
      <id>28e1c676-c871-42ad-82b7-792ed7cd7b03</id>
    </libraryCondition>
  </libraryConditions>
  <libraryConditions>
    <libraryCondition>
      <condition>
        <isNot>false</isNot>
        <children>
          <lhsAttribute>AuthenticationStatus</lhsAttribute>
          <rhsAttribute>AuthenticationPassed</rhsAttribute>
          <rhsDictionary/>
          <isNot>false</isNot>
          <lhsDictionary>Network Access</lhsDictionary>
          <type>SINGLE</type>
          <operator>EQUALS</operator>
        </children>
        <type>AND_BLOCK</type>
      </condition>
      <name>Network_Access_Authentication_Passed</name>
      <description>Default condition used for basic Network Access requiring that authentication was successful.</description>
      <id>717538eb-c6e7-409a-9c72-29b41d12389e</id>
    </libraryCondition>
  </libraryConditions>
  <!--This section describes the Allowed Protocols configured in ISE-->
  <AllowedProtocols>
    <AllowedProtocol description="Default Allowed Protocol Service Device Admin" name="Default Device Admin">
      <Option name="Process Host Lookup" value="false"/>
      <Option name="Allow PAP/ASCII" value="true"/>
      <Option name="Allow CHAP" value="true"/>
      <Option name="Allow MS-CHAPv1" value="true"/>
      <Option name="Allow MS-CHAPv2" value="false"/>
      <Option name="Allow EAP-MD5" value="false"/>
      <Option name="Allow EAP-TLS" value="false"/>
      <Option name="Allow LEAP" value="false"/>
      <Option name="Allow PEAP" value="false"/>
      <Option name="Allow EAP-FAST" value="false"/>
    </AllowedProtocol>
    <AllowedProtocol description="Default Allowed Protocol Service" name="Default Network Access">
      <Option name="Process Host Lookup" value="true"/>
      <Option name="Allow PAP/ASCII" value="true"/>
      <Option name="Allow CHAP" value="false"/>
      <Option name="Allow MS-CHAPv1" value="false"/>
      <Option name="Allow MS-CHAPv2" value="false"/>
      <Option name="Allow EAP-MD5" value="true"/>
      <Option name="Allow EAP-TLS" value="true">
        <Option name="EAP-TLS-Allow Allow Authentication of expired certificates" value="false"/>
        <Option name="EAP-TLS-Allow Enable Stateless Session Resume" value="false"/>
      </Option>
      <Option name="Allow LEAP" value="false"/>
      <Option name="Allow PEAP" value="true">
        <Option name="PEAP-Allow EAP-MS-CHAPv2" value="true">
          <Option name="Allow Password Change" value="true"/>
          <Option name="Retries" value="1"/>
        </Option>
        <Option name="PEAP-Allow EAP-GTC" value="true">
          <Option name="Allow Password Change" value="true"/>
          <Option name="Retries" value="1"/>
        </Option>
        <Option name="PEAP-Allow EAP-TLS" value="true">
          <Option name="EAP-TLS-Allow Allow Authentication of expired certificates" value="false"/>
        </Option>
        <Option name="Allow PEAPv0 only for legacy clients" value="false"/>
      </Option>
      <Option name="Allow EAP-FAST" value="true">
        <Option name="EAP-FAST-Allow EAP-MS-CHAPv2" value="true">
          <Option name="Allow Password Change" value="true"/>
          <Option name="Retries" value="3"/>
        </Option>
        <Option name="EAP-FAST-Allow EAP-GTC" value="true">
          <Option name="Allow Password Change" value="true"/>
          <Option name="Retries" value="3"/>
        </Option>
        <Option name="EAP-FAST-Allow EAP-TLS" value="true">
          <Option name="EAP-TLS-Allow Allow Authentication of expired certificates" value="false"/>
        </Option>
        <Option name="Use PACs" value="true">
          <Option name="Tunnel PAC Time To Live in Seconds" value="7776000"/>
          <Option name="Proactive PAC update will occur after" value="90"/>
          <Option name="Allow Anonymous In-Band PAC Provisioning" value="false"/>
          <Option name="Allow Authenticated In-Band PAC Provisioning" value="true">
            <Option name="Server Returns Access Accept After Authenticated Provisioning" value="true"/>
            <Option name="Accept Client Certificate For Provisioning" value="false"/>
          </Option>
          <Option name="Use PACs-Allow Machine Authentication" value="true">
            <Option name="Machine PAC Time To Live in Seconds" value="604800"/>
          </Option>
          <Option name="Enable Stateless Session Resume" value="true">
            <Option name="Authorization PAC Time To Live in Seconds" value="3600"/>
          </Option>
        </Option>
        <Option name="Enable EAP Chaining" value="false"/>
      </Option>
    </AllowedProtocol>
  </AllowedProtocols>
  <!--This section describes the Identity Sequences configured in ISE-->
  <IdentitySequences>
    <Sequence cert="Preloaded_Certificate_Profile" description="A built-in Identity Sequence to include all User Identity Stores" name="All_User_ID_Stores">
      <Sources>
        <Source name="Internal Users"/>
        <Source name="All_AD_Join_Points"/>
        <Source name="Guest Users"/>
      </Sources>
      <option name="Select Certificate Authentication Profile" value="true"/>
      <option name="Certificate Authentication Profile" value="Preloaded_Certificate_Profile"/>
      <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="false"/>
      <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="true"/>
    </Sequence>
    <Sequence description="A built-in Identity Sequence for Certificate Request APIs" name="Certificate_Request_Sequence">
      <Sources>
        <Source name="Internal Users"/>
        <Source name="All_AD_Join_Points"/>
      </Sources>
      <option name="Select Certificate Authentication Profile" value="false"/>
      <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="false"/>
      <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="true"/>
    </Sequence>
    <Sequence description="A built-in Identity Sequence for the Guest Portal" name="Guest_Portal_Sequence">
      <Sources>
        <Source name="Internal Users"/>
        <Source name="Guest Users"/>
        <Source name="All_AD_Join_Points"/>
      </Sources>
      <option name="Select Certificate Authentication Profile" value="false"/>
      <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="false"/>
      <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="true"/>
    </Sequence>
    <Sequence description="A built-in Identity Sequence for the My Devices Portal" name="MyDevices_Portal_Sequence">
      <Sources>
        <Source name="Internal Users"/>
        <Source name="All_AD_Join_Points"/>
      </Sources>
      <option name="Select Certificate Authentication Profile" value="false"/>
      <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="false"/>
      <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="true"/>
    </Sequence>
    <Sequence description="A built-in Identity Sequence for the Sponsor Portal" name="Sponsor_Portal_Sequence">
      <Sources>
        <Source name="Internal Users"/>
        <Source name="All_AD_Join_Points"/>
      </Sources>
      <option name="Select Certificate Authentication Profile" value="false"/>
      <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="false"/>
      <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="true"/>
    </Sequence>
  </IdentitySequences>
  <!--This section describes the RADIUS Server Sequences configured in ISE-->
  <Proxies/>
  <!--This section describes the Authorization Results configured in ISE-->
  <AznResults>
    <StandardResults>
      <Profile description="Default profile used to block wireless devices. Ensure that you configure a NULL ROUTE ACL on the Wireless LAN Controller" nadProfileName="Cisco" name="Block_Wireless_Access">
        <option name="Attributes Details">cisco-av-pair = url-redirect=https://ip:port/blockedportal/gateway?portal=24adc791-7fb9-4b3f-aaf9-080680804fee, 
cisco-av-pair = url-redirect-acl=BLACKHOLE</option>
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Default profile used for Cisco Phones." nadProfileName="Cisco" name="Cisco_IP_Phones">
        <option name="Attributes Details">DACL = PERMIT_ALL_IPV4_TRAFFIC, 
cisco-av-pair = device-traffic-class=voice</option>
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Onboard the device with Cisco temporal agent" nadProfileName="Cisco" name="Cisco_Temporal_Onboard">
        <option name="Attributes Details">DACL = PERMIT_ALL_IPV4_TRAFFIC, 
cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT, 
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&amp;portal=ee39fd08-7180-4995-8aa2-9fb282645a8f&amp;action=cpp</option>
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Default Profile used to redirect users to the CWA portal." nadProfileName="Cisco" name="Cisco_WebAuth">
        <option name="Attributes Details">cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT, 
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&amp;portal=97e50aa5-16f2-4c30-85c5-7191de6a5f45&amp;action=cwa</option>
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Default Profile with access type as Access-Reject" name="DenyAccess">
        <option name="Access Type" value="ACCESS_REJECT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Onboard the device with Native Supplicant Provisioning" nadProfileName="Cisco" name="NSP_Onboard">
        <option name="Attributes Details">DACL = PERMIT_ALL_IPV4_TRAFFIC, 
cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT, 
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&amp;portal=257d1fc6-fe59-48e8-969a-4db6ac79b668&amp;action=nsp</option>
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Default Profile used for Non Cisco Phones." nadProfileName="Cisco" name="Non_Cisco_IP_Phones">
        <option name="Attributes Details">DACL = PERMIT_ALL_IPV4_TRAFFIC, 
cisco-av-pair = device-traffic-class=voice</option>
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Default Profile with access type as Access-Accept" name="PermitAccess">
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
      <Profile description="Default profile used for UDN." nadProfileName="Cisco" name="UDN">
        <option name="Attributes Details">cisco-av-pair = null, 
cisco-av-pair = null, 
cisco-av-pair = null</option>
        <option name="Access Type" value="ACCESS_ACCEPT"/>
        <option name="Service Template" value="false"/>
      </Profile>
    </StandardResults>
    <SecurityGroups>
      <SecurityGroup description="Auditor Security Group" name="Auditors">
        <option name="Security Group Tag" value="9"/>
      </SecurityGroup>
      <SecurityGroup description="BYOD Security Group" name="BYOD">
        <option name="Security Group Tag" value="15"/>
      </SecurityGroup>
      <SecurityGroup description="Contractor Security Group" name="Contractors">
        <option name="Security Group Tag" value="5"/>
      </SecurityGroup>
      <SecurityGroup description="Developer Security Group" name="Developers">
        <option name="Security Group Tag" value="8"/>
      </SecurityGroup>
      <SecurityGroup description="Development Servers Security Group" name="Development_Servers">
        <option name="Security Group Tag" value="12"/>
      </SecurityGroup>
      <SecurityGroup description="Employee Security Group" name="Employees">
        <option name="Security Group Tag" value="4"/>
      </SecurityGroup>
      <SecurityGroup description="Guest Security Group" name="Guests">
        <option name="Security Group Tag" value="6"/>
      </SecurityGroup>
      <SecurityGroup description="Network Services Security Group" name="Network_Services">
        <option name="Security Group Tag" value="3"/>
      </SecurityGroup>
      <SecurityGroup description="PCI Servers Security Group" name="PCI_Servers">
        <option name="Security Group Tag" value="14"/>
      </SecurityGroup>
      <SecurityGroup description="Point of Sale Security Group" name="Point_of_Sale_Systems">
        <option name="Security Group Tag" value="10"/>
      </SecurityGroup>
      <SecurityGroup description="Production Servers Security Group" name="Production_Servers">
        <option name="Security Group Tag" value="11"/>
      </SecurityGroup>
      <SecurityGroup description="Production User Security Group" name="Production_Users">
        <option name="Security Group Tag" value="7"/>
      </SecurityGroup>
      <SecurityGroup description="Quarantine Security Group" name="Quarantined_Systems">
        <option name="Security Group Tag" value="255"/>
      </SecurityGroup>
      <SecurityGroup description="Test Servers Security Group" name="Test_Servers">
        <option name="Security Group Tag" value="13"/>
      </SecurityGroup>
      <SecurityGroup description="TrustSec Devices Security Group" name="TrustSec_Devices">
        <option name="Security Group Tag" value="2"/>
      </SecurityGroup>
      <SecurityGroup description="Unknown Security Group" name="Unknown">
        <option name="Security Group Tag" value="0"/>
      </SecurityGroup>
    </SecurityGroups>
    <TacacsProfile>
      <TacacsProfile description="Default Shell Profile" name="Default Shell Profile">
        <option name="session Attributes" value=""/>
      </TacacsProfile>
      <TacacsProfile description="Deny All Shell Profile" name="Deny All Shell Profile">
        <option name="session Attributes" value=""/>
      </TacacsProfile>
      <TacacsProfile description="WLC ALL" name="WLC ALL">
        <option name="session Attributes" value="role1=ALL"/>
      </TacacsProfile>
      <TacacsProfile description="WLC MONITOR" name="WLC MONITOR">
        <option name="session Attributes" value="role1=MONITOR"/>
      </TacacsProfile>
    </TacacsProfile>
    <TacacsCommandset>
      <TacacsCommandset description="Default Command Set" name="DenyAllCommands">
        <option name="Commands" value=""/>
        <option name="Permit Unmatched" value="false"/>
      </TacacsCommandset>
    </TacacsCommandset>
  </AznResults>
</Root>
Search
Viewing all articles
Browse latest Browse all 44

Trending Articles

モーツァルト ディヴェルティメント 変ホ長調 K.563 の名盤

December 23, 2017, 2:32 am

井上貴博アナウンサー彼女や結婚の噂は?実家や親が話題?人気は?

September 15, 2013, 1:59 am

Ke Aloha Kalikimakaの歌詞を和訳します

January 9, 2014, 6:10 pm

PaliのLepe `Ula`ulaと歌詞の和訳

July 19, 2012, 7:10 pm

2014年6月6日号 三菱東京UFJ銀行(5月14日付)

June 9, 2014, 1:51 am

LNK2019:未解決の外部シンボル と LNK1120:外部参照 1 が未解決について

October 23, 2005, 9:03 pm

ヴァンパイア・ノーツ 攻略

December 11, 2018, 6:10 am

大阪・泉南イオンで飛び降り自殺とみられる転落事件が発生:ネットで拡散された理由とは

July 15, 2016, 12:05 pm

メールディーラーで受信するアドレスを追加できますか?

July 30, 2019, 1:56 am

Robocopy のエラー (戻り値) について

January 23, 2018, 11:28 pm

林要の結婚や経歴&評判とWikiプロフやLOVOT(ラボット)とグルーブエックス株価は

December 23, 2018, 6:18 am

【極☆寒】「凍った髪」を競い合う『国際ヘア・フリージング・コンテスト』! 寒〜い写真に身震いしつつ過ぎ行く冬にサヨナラだ!!

March 10, 2015, 2:00 pm

滋賀の部落(同和地区)一覧

March 24, 2010, 6:39 am

【銃刀法違反】吉田総業組長代行 恩田達志容疑者を再逮捕

November 17, 2016, 6:39 pm

和歌山県代表決まる 都道府県対抗中学バレー

September 10, 2013, 2:00 am

大浦街道で重体事故

August 31, 2016, 1:35 am

【世界大学ランキング】 第1位にジュリアード音楽院とウィーン国立音大、日本勢は?

August 23, 2019, 1:32 am

【対策済】「SKYSEA Client View」のアップデートに失敗する問題についてのお知らせ

December 27, 2007, 7:00 am

Lahaina Lunaの歌詞を和訳しました

January 14, 2016, 6:10 pm

画像・写真】ららぽーと横浜で16歳男子高校生が転落死 不審な動き→逃走し警備員に追いかけられ→柵越え飛び降り・12m転落 窃盗・万引き?それとも盗撮?

September 17, 2016, 8:50 am
Search