https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211220#M547527 <P>Hi,</P> <P>&nbsp;</P> <P>I would use policy sets for each autentication type, e.g VPN, Wired 802.1x, Wired MAB etc. Use NAS IP address or Device Type as the condition on the policy set. For example, in doing so, Wired 802.1x authentications would never originate from the NAS IP address of the VPN device, therefore never process that VPN policy set.</P> <P>&nbsp;</P> <P>Ultimately you need to make the rules more specific, using other conditions in the policy.</P> <P>&nbsp;</P> <P>HTH</P> Sun, 05 Nov 2017 17:27:14 GMT Rob Ingram 2017-11-05T17:27:14Z https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3210624#M547521 <P>Hello guys</P> <P>pls find attacment</P> <P>&nbsp;</P> <P>I am confused , why connection related to <STRONG>R1 rule</STRONG> hits <STRONG>VPN rule</STRONG> and connection related to<STRONG> VPN Rule</STRONG> hits<STRONG> R1 Rule</STRONG> , we still using ISE 2.1</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>pls help me out</P> <P>&nbsp;</P> <P>thanks</P> Fri, 21 Feb 2020 18:37:57 GMT https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3210624#M547521 Ibrahim Jamil 2020-02-21T18:37:57Z https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3210644#M547523 <P>The screenshot of the VPN rule implies there is an AND but there appears to be nothing there.</P> <P>&nbsp;</P> <P>Add another condition to match against, to make the each of the rules more specific to the device making the connection. E.g Radius:NAS-Port-Type EQUALS Virtual <STRONG>AND</STRONG> Radius:NAS-IP-Address EQUALS x.x.x.x</P> <P>&nbsp;</P> <P>You could also use Policy Sets and make the condition specifc to the type of connection etc.</P> Fri, 03 Nov 2017 19:42:43 GMT https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3210644#M547523 Rob Ingram 2017-11-03T19:42:43Z https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211081#M547525 <P>Hello RJI</P> <P>&nbsp;</P> <P>in the Authentication policy do i need also NAS address , NAS is configured for the same rule but in the Authorization policy</P> <P>&nbsp;</P> <P>Thanks</P> Sun, 05 Nov 2017 04:13:32 GMT https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211081#M547525 Ibrahim Jamil 2017-11-05T04:13:32Z https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211220#M547527 <P>Hi,</P> <P>&nbsp;</P> <P>I would use policy sets for each autentication type, e.g VPN, Wired 802.1x, Wired MAB etc. Use NAS IP address or Device Type as the condition on the policy set. For example, in doing so, Wired 802.1x authentications would never originate from the NAS IP address of the VPN device, therefore never process that VPN policy set.</P> <P>&nbsp;</P> <P>Ultimately you need to make the rules more specific, using other conditions in the policy.</P> <P>&nbsp;</P> <P>HTH</P> Sun, 05 Nov 2017 17:27:14 GMT https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211220#M547527 Rob Ingram 2017-11-05T17:27:14Z https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211340#M547653 <P>Hi</P> <P>&nbsp;</P> <P>do u mean another NAS IP Address also for Authentication policy AND for Authorization policy ????</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>thanks</P> Mon, 06 Nov 2017 05:43:12 GMT https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211340#M547653 Ibrahim Jamil 2017-11-06T05:43:12Z https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211543#M547654 <P>Yes, add a new condition to the authorisation rules to make them unique.</P> Mon, 06 Nov 2017 12:51:20 GMT https://community.cisco.com/t5/network-access-control/why-connection-related-to-r1-rule-hits-vpn-rule-and-vice-versa/m-p/3211543#M547654 Rob Ingram 2017-11-06T12:51:20Z