https://community.cisco.com/t5/network-access-control/hq-and-remote-wired-guest-vlan/m-p/2024966#M178445 <P>Hello all,</P><P></P><P>I am having trouble to create a standard condition for Policy Authorization.&nbsp; Basically there are HQ and remote locations configure for guest access.</P><P>Each location has its own guest vlan.&nbsp; On ISE the standard rule are:</P><P>Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access </P><P>This rule is working good for HQ.</P><P></P><P>Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest </P><P>This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem</P><P>with internal users since the condition is Unknown OR MTL_Devices.&nbsp; There is no AND condition for this.</P><P></P><P>Let me know if anyone has idea or have solved this problem.</P><P></P><P>Thank you.</P> Mon, 11 Mar 2019 02:40:08 GMT ttran 2019-03-11T02:40:08Z https://community.cisco.com/t5/network-access-control/hq-and-remote-wired-guest-vlan/m-p/2024966#M178445 <P>Hello all,</P><P></P><P>I am having trouble to create a standard condition for Policy Authorization.&nbsp; Basically there are HQ and remote locations configure for guest access.</P><P>Each location has its own guest vlan.&nbsp; On ISE the standard rule are:</P><P>Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access </P><P>This rule is working good for HQ.</P><P></P><P>Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest </P><P>This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem</P><P>with internal users since the condition is Unknown OR MTL_Devices.&nbsp; There is no AND condition for this.</P><P></P><P>Let me know if anyone has idea or have solved this problem.</P><P></P><P>Thank you.</P> Mon, 11 Mar 2019 02:40:08 GMT https://community.cisco.com/t5/network-access-control/hq-and-remote-wired-guest-vlan/m-p/2024966#M178445 ttran 2019-03-11T02:40:08Z https://community.cisco.com/t5/network-access-control/hq-and-remote-wired-guest-vlan/m-p/2024967#M178461 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.</P><P></P><P>Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.</P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Fri, 12 Oct 2012 15:44:59 GMT https://community.cisco.com/t5/network-access-control/hq-and-remote-wired-guest-vlan/m-p/2024967#M178461 Tarik Admani 2012-10-12T15:44:59Z https://community.cisco.com/t5/network-access-control/hq-and-remote-wired-guest-vlan/m-p/2024968#M178482 <HTML><HEAD></HEAD><BODY><P>Hi Tarik,</P><P></P><P>Thanks for relying.&nbsp; I tried different way and still no good.&nbsp; Here is the screen shot.</P></BODY></HTML> Fri, 12 Oct 2012 20:07:35 GMT https://community.cisco.com/t5/network-access-control/hq-and-remote-wired-guest-vlan/m-p/2024968#M178482 ttran 2012-10-12T20:07:35Z