KB ID 0001156
Carrying on from PART 1
Add > Create Before.
Edit the Policy
Giv the policy set a name and description > Create a new condition.
Set Description to Device Type.
Equals > All Device Types (The Device Group You Created Above).
Add attribute value.
Set Description to RADIUS.
Equals > Virtual.
Edit the Authentication Policy.
Change the identity source to the the identity source sequence you created above.
Authorisation Policy > Insert New Rule Above.
Give it a Name i.e. VPN-ADMIN-RULE > Create New Condition.
Set Description to your Active Directory.
Select your AD group (VPN-Admins).
Set Permissions to Standard.
Select your VPN-Admins authorisation profile.
Add another rule (directly below) of your VPN-Users and set this one to use the user profile.
Add a further rule (below that) for your LOCAL admin in the ISE database.
Set User Identity Groups to VPN-Admins.
Note: this is the LOCAL group in ISE, NOT the domain security group.
Again use the admin authorisation profile.
Finally you need to change the ‘Default’ rule to ‘Deny Access’, (or they will just hit the default allow and get in anyway!)
Now you can test.