topic Re: Customize Compound condition in Network Access Control

Customize Compound condition

Ibrahim Jamil — Fri, 21 Feb 2020 18:38:47 GMT

Hello guys

Where the Tab in ISE 2.1 so that i can i create new "Compound condition" to make a group of condition like wired_mab and wireless_mab in new customized one named MAB

Thanks

Re: Customize Compound condition

Mohammed al Baqari — Sun, 12 Nov 2017 17:22:58 GMT

Policy > policy elements > conditions. You can select authorization
conditions and compound

Re: Customize Compound condition

agrissimanis — Sun, 12 Nov 2017 17:24:55 GMT

That would be under Policy -> Policy elements -> Conditions -> Authentication -> Compound conditions

Re: Customize Compound condition

Ibrahim Jamil — Sun, 12 Nov 2017 18:36:57 GMT

Hello guys

thanks for answering my thread

I didn't find it , how to create my customization Compound name it MAB and add default builtin condition Wired_MAB & Wireless MAB

thanks

Re: Customize Compound condition

agrissimanis — Sun, 12 Nov 2017 20:59:53 GMT

As we mentioned before compound conditions can be defined under Policy -> Policy elements -> Conditions -> Authentication -> Compound conditions.
Compound conditions can contain multiple Simple conditions or custom attribute/value pairs, but they can't contain other Compound conditions within them. Both Wired_MAB & Wireless_MAB are compound conditions themselves.
For example, Cisco Wireless_MAB compound condition contains the following:
Radius:NAS-Port-Type = Wireless - IEEE 802.11
Radius:Service-Type = Call Check
So you would first need to create a bunch of simple conditions and then add them to your Compound condition.

Where do you want to use your new Compound condition? Are you unable to use OR operator to check for both Wired_MAB OR Wireless MAB?

Re: Customize Compound condition

Ibrahim Jamil — Mon, 13 Nov 2017 07:54:18 GMT

Hello agrissimanis

very informative answer from you , let me learn from you

for

a) VPN Rule , what would be the conditions for both Authentication and Authorization policy

b) for normal AAA test from device to cisco ISE , what would be the rule , as i have the default Authentication and authorization policy with DenyAccess

thanks

Re: Customize Compound condition

agrissimanis — Mon, 13 Nov 2017 12:00:54 GMT

For VPN you could do something like this:

Radius:NAS-Port-Type EQUALS Virtual AND

DEVICE:Device Type EQUALS Device Type#All Device Types#ASA Firewall

Authorization could be anything you want, for example to match on AD group membership you would do MyDomain:ExternalGroups EQUALS MyDomain/Users/VPN User Group

For AAA test the condition could be this:

Radius:NAS-Port-Type EQUALS Async or maybe Radius:Service-Type EQUALS Login

These conditions depend on what other policies you have configured and the ordering of the rules. The test requests from switches can be denied, it is not a problem. The switch just needs to see if there is a live RADIUS server, in most scenarios it doesn't matter if the authentication passes or fails.