topic Re: Policy Set Condition based off Multiple Locations in Network Access Control

Policy Set Condition based off Multiple Locations

Matthew Martin — Tue, 05 Feb 2019 20:38:08 GMT

Hello,

ISE v2.3

I would like to try and modify an existing Policy Set for Wireless Guest Access. The set I would like to use currently says:

What I would like to do is add new condition so that it basically says that it will match if its either Location1 OR Location2. How can I achieve this?

I think if I just choose to add a new OR condition, right below Location1, then it would say: If Guest, Guest Flow and Location1 are meet then match it, OR if its Location2 then match it (*which would I think it would just ignore the Guest and Guest Flow conditions if its in Location2).

Thanks in Advance,

Matt

Re: Policy Set Condition based off Multiple Locations

Damien Miller — Tue, 05 Feb 2019 20:48:44 GMT

A quick shuffle will make this work. Use a single "and" with a nested "or" for the locations. Add as many locations as you need within the "or".

example, I don't have identical fields to you, I just used what was available to demo.

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Tue, 05 Feb 2019 20:58:51 GMT

Thanks Damien!

Does this look correct to you for what I was explaining?

Thanks Again,

Matt

Re: Policy Set Condition based off Multiple Locations

Damien Miller — Tue, 05 Feb 2019 21:18:09 GMT

It will work, it just has a redundant "and". You can pull the location "or", the network access, and radius conditions out and delete the second and.

Move everything to the same level as the identity group at the bottom. This will leave on the the "or" operand nested under your single "and".

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Tue, 05 Feb 2019 21:34:02 GMT

Ok, so you're saying I should go from the top one below to the bottom one?

-Matt

Re: Policy Set Condition based off Multiple Locations

Damien Miller — Tue, 05 Feb 2019 21:38:41 GMT

Yes thats it, they both work, the bottom one would be preferred.

While it has no impact on the functionality, I also suggest keeping your rules with the same format. Ex location first, then device type, then groups etc. Just makes it easier if you're later auditing, you have an expected order. The order you pick is up entirely up to you if you want to do it that way.

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Tue, 05 Feb 2019 22:28:29 GMT

Ok, sounds good. Thanks again for the help!

-Matt

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Mon, 11 Feb 2019 17:56:39 GMT

Hey Damien,

I tried getting rid of that extra AND level. But, there didn't seem like an easy way to just drag conditions to an outer level. So I ended up just trying to re-create the condition/policy set. But, after I did I noticed the icon for the Identity Group condition (*the bottom condition) is no longer the same as it was before... Any idea why that is?

Screenshot below:

Is this going to be an issue? Not sure why it would do that when I'm selecting the "IdentityGroup" one. When I look at what the circled icon is above in the "select attribute" box that pops up, it says that icon falls under "Unclassified".

-Matt

Re: Policy Set Condition based off Multiple Locations

hslai — Mon, 11 Feb 2019 18:07:54 GMT

I believe it a minor bug, affecting UI only, and should not have an impact in policy evaluation.

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Mon, 11 Feb 2019 18:27:03 GMT

We also have a Guest policy set for our remote branch offices. Basically every other location that we have besides Location 1 and Location 2 use this policy. The only real difference is that instead of using "Locations", it uses Called-Station-ID (*which we have setup for the WLC to send "AP-Name:SSID") so we check the AP name instead of location because I setup all APs in the remote branches to start with the same Prefix.

That policy set also had an extra AND level. And when I re-created that one all the icons changed there too...

Are these 2 below equivalent?

OLD:

NEW:

Are those 2 sets above equivalent? Wasn't sure why the top 3 conditions were sort of separated from the bottom condition with the extra "AND"...

Thanks Again,

Matt

Re: Policy Set Condition based off Multiple Locations

Damien Miller — Mon, 11 Feb 2019 18:40:50 GMT

Yes, those two authorization rules will do the same thing, you have to meet all four conditions in either. Weird display bug hslai mentioned.

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Mon, 11 Feb 2019 18:43:05 GMT

Ok got it. Thanks hslai.

-Matt

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Mon, 11 Feb 2019 18:43:23 GMT

Ok cool, thanks for the confirmation!

-Matt

Re: Policy Set Condition based off Multiple Locations

Matthew Martin — Mon, 11 Feb 2019 18:45:10 GMT

FYI...

After clicking "SAVE" at the bottom of the Policy Sets page, and the page refreshes. The icons change back to what they "should" look like.

-Matt