Skip to content
/ Ansible_ISE_Policy_Set_Wired_Wireless Public

Ansible playbook for creating Monitor Mode & Low Impact Mode Policy Sets in ISE 3.1+

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

grg1bbs/Ansible_ISE_Policy_Set_Wired_Wireless

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
changelog.md
changelog.md
 
 
credentials.yaml
credentials.yaml
 
 
hosts
hosts
 
 
policyset.yaml
policyset.yaml
 
 
variables.yaml
variables.yaml
 
 

Repository files navigation

Ansible_ISE_Policy_Set_Wired_Wireless

Ansible playbook for creating Wired Monitor Mode, Wired Low Impact Mode, and Wireless Secure Policy Sets in Cisco Identity Services Engine (ISE) 3.1+

This playbook was validated using:

  • ISE 3.1 patch 7 & 3.2 patch 4
  • Ansible 2.15.5
  • CiscoISESDK 2.0.12
  • ISE Ansible collection 2.5.16

ISE Pre-requisites

The following ISE configurations are required prior to running this playbook:

  1. An administrator account with the 'ERS Admin' role
  2. An Active Directory domain admin account with Join permissions

Policies and Policy Elements created

The following Policy Elements and Policy Sets are created by this playbook:

Policy Elements

  • Active Directory Join Point
    • Join node(s) to domain in the defined Org Unit
    • Add default 'Domain Users' and Domain Computers' AD groups
  • Allowed Protocols list named 'MAB_Dot1x' with the following protocols enabled:
    • Process Host Lookup (MAB)
    • EAP-TLS
    • PEAP(MSCHAPv2)
    • TEAP (MSCHAPv2 & EAP-TLS inner methods) with EAP Chaining
  • Allowed Protocols list named 'Dot1x' with the following protocols enabled:
    • EAP-TLS
    • PEAP(MSCHAPv2)
    • TEAP (MSCHAPv2 & EAP-TLS inner methods) with EAP Chaining
  • Certificate Authentication Profile (for EAP-TLS)
  • Identity Source Sequence with CAP & AD
  • Network Device Group (NDG) structure for Monitor Mode & Low Impact Mode
  • Downloadable ACLs and AuthZ Profiles
    • Permissive DACLs (permit ip any any) except for LIM Default (permits DHCP, DNS, and TFTP only)

Policy Sets

Wired_MM

  • AuthC Policies
    • Dot1x Certificate
    • MAB
  • AuthZ Policies
    • AD User and Computer (EAP Chaining)
    • AD Users
    • AD Computers
    • Default (updated AuthZ Profile)

Wired_LIM

  • AuthC Policies
    • Dot1x Certificate
    • MAB
  • AuthZ Policies
    • AD User and Computer (EAP Chaining)
    • AD Users
    • AD Computers
    • Default (updated AuthZ Profile)

Wireless Secure

  • AuthC Policies
    • Dot1x Certificate
  • AuthZ Policies
    • AD User and Computer (EAP Chaining)
    • AD Users
    • AD Computers

Ansible Pre-requisites

Running this playbook requires Python and Ansible software installed. If you have any problems installing Python or Ansible, see Installing Ansible.

Using Ansible to interact with the Cisco ISE API also requires the Cisco ISE SDK and Ansible Collection. See Ansible Modules for Cisco ISE for more information.

Quick Start

  1. Clone this repository:

    git clone https://github.com/grg1bbs/Ansible_ISE_Policy_Set_Wired_Wireless

  2. Edit the following files to suit your environment:

  • credentials.yaml
  • hosts
  • variables.yaml

  1. Run the Ansible playbook

    ansible-playbook -i hosts policyset.yaml

About

Ansible playbook for creating Monitor Mode & Low Impact Mode Policy Sets in ISE 3.1+

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published