https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484526#M526616 <HTML><HEAD></HEAD><BODY><P>Hi everyone,</P><P></P><P>I am working on a POC for ISE using version 2.3. I'm new to ISE so I apologize if this is an obvious question. I couldn't find anything in the forum or docs either. Ok to the question.</P><P></P><P>I am following Katherine McNamara's <SPAN style="font-size: 10pt;">blog post </SPAN><A href="https://community.cisco.com/migration-blogpost/8156">ISE - Dot1x Policy Configuration</A></P><P></P><P>In the post she uses a network access condition that matches certificate attributes that then results in specific identity sequences. I like this approach as it would allow us to collapse our corporate and byod SSIDs into one and assign different roles and VLANs starting with which certificate the client has. This is one of our goals with moving to a full NAC solution such as ISE.</P><P></P><P>My issue is when I go to add this condition in my authentication policy the condition is missing. Are there limitations on which conditions can be used where? Was there a change in how conditions work in 2.3? I've skimmed through documentation and the forums and I can't find any mention of this.</P><P></P><P>Screenshot of the condition:</P><P><IMG alt="network_access_condition.PNG" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/111348_network_access_condition.PNG" style="height: 236px; width: 620px;" /></P><P></P><P>Thanks!</P></BODY></HTML> Sun, 17 Sep 2017 17:39:01 GMT Charlie Dean 2017-09-17T17:39:01Z https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484526#M526616 <HTML><HEAD></HEAD><BODY><P>Hi everyone,</P><P></P><P>I am working on a POC for ISE using version 2.3. I'm new to ISE so I apologize if this is an obvious question. I couldn't find anything in the forum or docs either. Ok to the question.</P><P></P><P>I am following Katherine McNamara's <SPAN style="font-size: 10pt;">blog post </SPAN><A href="https://community.cisco.com/migration-blogpost/8156">ISE - Dot1x Policy Configuration</A></P><P></P><P>In the post she uses a network access condition that matches certificate attributes that then results in specific identity sequences. I like this approach as it would allow us to collapse our corporate and byod SSIDs into one and assign different roles and VLANs starting with which certificate the client has. This is one of our goals with moving to a full NAC solution such as ISE.</P><P></P><P>My issue is when I go to add this condition in my authentication policy the condition is missing. Are there limitations on which conditions can be used where? Was there a change in how conditions work in 2.3? I've skimmed through documentation and the forums and I can't find any mention of this.</P><P></P><P>Screenshot of the condition:</P><P><IMG alt="network_access_condition.PNG" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/111348_network_access_condition.PNG" style="height: 236px; width: 620px;" /></P><P></P><P>Thanks!</P></BODY></HTML> Sun, 17 Sep 2017 17:39:01 GMT https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484526#M526616 Charlie Dean 2017-09-17T17:39:01Z https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484527#M526618 <HTML><HEAD></HEAD><BODY><P>The right-hand-side (RHS) in this instance is a text input so we simply type in the text string.</P><P></P><P><A href="https://community.cisco.com/videos/16601"> Video Link : 16601 </A></P></BODY></HTML> Sun, 17 Sep 2017 17:52:45 GMT https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484527#M526618 hslai 2017-09-17T17:52:45Z https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484528#M526620 <HTML><HEAD></HEAD><BODY><P>See also the video walk-through of the policy UI in <A href="https://community.cisco.com/docs/DOC-74808">What's New in ISE 2.3?</A></P></BODY></HTML> Sun, 17 Sep 2017 17:59:25 GMT https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484528#M526620 hslai 2017-09-17T17:59:25Z https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484529#M526622 <HTML><HEAD></HEAD><BODY><P>Hi. The issue isn't creating the condition. I had our TLD in there, I just blacked it out. The issue is when I try and use the condition in a authentication policy. It doesn't show up.</P></BODY></HTML> Sun, 17 Sep 2017 18:15:16 GMT https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484529#M526622 Charlie Dean 2017-09-17T18:15:16Z https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484530#M526624 <HTML><HEAD></HEAD><BODY><P><SPAN style="text-decoration: line-through;">You can use it in authorization policy rules only.</SPAN> [Correction] We can't use it in any policy set conditions but we can use it in authentication policy conditions inside a policy set.</P><P><IMG __jive_id="111349" alt="Screen Shot 2017-09-17 at 18.31.15.png" class="image-1 jive-image" src="/legacyfs/online/fusion/111349_Screen Shot 2017-09-17 at 18.31.15.png" style="height: 172px; width: 620px;" /></P><P></P><P>Certificate attributes are not yet available at that point in determining which protocols to use. It's removed to resolve CSCvc98033.</P></BODY></HTML> Sun, 17 Sep 2017 18:17:59 GMT https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484530#M526624 hslai 2017-09-17T18:17:59Z https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484531#M526626 <HTML><HEAD></HEAD><BODY><P>Ok, I think that was the answer I was looking for. Is there a doc I can reference that shows which condition types can be used where in a policy?</P></BODY></HTML> Sun, 17 Sep 2017 18:26:14 GMT https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484531#M526626 Charlie Dean 2017-09-17T18:26:14Z https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484532#M526627 <HTML><HEAD></HEAD><BODY><P>Please note that I revised my last response. AFAIK it's documented in CSCvc98033 only.</P></BODY></HTML> Sun, 17 Sep 2017 18:37:01 GMT https://community.cisco.com/t5/network-access-control/conditions-missing-for-authentication-policy-in-2-3/m-p/3484532#M526627 hslai 2017-09-17T18:37:01Z