https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3724426#M542866 <P>Hello,</P> <P>&nbsp;</P> <P>We were trying to create a condition to match an AD attribute to a null/blank value. We tried few regex expression values like null, =null, ^$ in the value field, but still we were not able to match the authorization condition. the condition&nbsp;algorithm goes like this</P> <P>&nbsp;</P> <P>If AD attribute = "null value"&nbsp;</P> <P>then</P> <P>Auhorization result: Deny Access</P> <P>&nbsp;</P> <P>Please advise which value or which approach would work?</P> <P>&nbsp;</P> <P>Thanks and Regards</P> <P>&nbsp;</P> <P>Aravind.</P> Mon, 11 Mar 2019 08:50:34 GMT aravikumar 2019-03-11T08:50:34Z https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3724426#M542866 <P>Hello,</P> <P>&nbsp;</P> <P>We were trying to create a condition to match an AD attribute to a null/blank value. We tried few regex expression values like null, =null, ^$ in the value field, but still we were not able to match the authorization condition. the condition&nbsp;algorithm goes like this</P> <P>&nbsp;</P> <P>If AD attribute = "null value"&nbsp;</P> <P>then</P> <P>Auhorization result: Deny Access</P> <P>&nbsp;</P> <P>Please advise which value or which approach would work?</P> <P>&nbsp;</P> <P>Thanks and Regards</P> <P>&nbsp;</P> <P>Aravind.</P> Mon, 11 Mar 2019 08:50:34 GMT https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3724426#M542866 aravikumar 2019-03-11T08:50:34Z https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3724495#M542868 <P>Hi,</P> <P>Why not specify rules that match conditions/attributes above a default rule which denies access? This would deny the null/blank values which would not be match in the more specific rules above.</P> Fri, 12 Oct 2018 18:27:04 GMT https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3724495#M542868 Rob Ingram 2018-10-12T18:27:04Z https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3728896#M542870 <P>There is a bug on ISE that causes the endpoint profile/endpoint group to be modified from a valid value&nbsp;into: blank/unknown/profiled after successful authentication. Instead of using&nbsp;the AUTHZ Policies, I was playing with the PURGE process of ISE trying to delete those blank entries from the Endpoint DB, no luck. I am working with TAC on this issue (there is another way to do this but requires root access). So looks likes the same applies to AUTHZ Policies. I wanted to remove invalid&nbsp;entries from the Endpoint DB.</P> Fri, 19 Oct 2018 20:51:15 GMT https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3728896#M542870 ajc 2018-10-19T20:51:15Z https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3729292#M542872 <P>With ISE 2.3+, we may use "is not" and the following seems to work for me.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2018-10-21 at 5.02.39 AM.png" style="width: 340px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/20817i1EF28523EC2F3E86/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2018-10-21 at 5.02.39 AM.png" alt="Screen Shot 2018-10-21 at 5.02.39 AM.png" /></span></P> Sun, 21 Oct 2018 12:03:53 GMT https://community.cisco.com/t5/network-access-control/using-blank-or-null-value-in-the-condition-for-authorization/m-p/3729292#M542872 hslai 2018-10-21T12:03:53Z