https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137373#M590318 <P>Im building two Dot1x policies in ISE. One wired, the other wireless. As the end devices are the same and can connect either wired or wireless, the only difference in the policy is the wired or wireless dot1x condition selected from Condition Studio. However, when either wired or wireless connect they are using the wired policy as its the first policy.</P><P>Why is the wireless device hitting the wired policy if only wired_802.1x condition is set?</P><P>&nbsp;</P> Fri, 28 Jun 2024 09:30:29 GMT michael18 2024-06-28T09:30:29Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137373#M590318 <P>Im building two Dot1x policies in ISE. One wired, the other wireless. As the end devices are the same and can connect either wired or wireless, the only difference in the policy is the wired or wireless dot1x condition selected from Condition Studio. However, when either wired or wireless connect they are using the wired policy as its the first policy.</P><P>Why is the wireless device hitting the wired policy if only wired_802.1x condition is set?</P><P>&nbsp;</P> Fri, 28 Jun 2024 09:30:29 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137373#M590318 michael18 2024-06-28T09:30:29Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137387#M590319 <P>can I see screen shoot of policy set&nbsp;</P> <P>MHM</P> Fri, 28 Jun 2024 10:13:33 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137387#M590319 MHM Cisco World 2024-06-28T10:13:33Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137479#M590320 <P>screen shot attached.&nbsp;</P><P>thanks</P><P>&nbsp;</P> Fri, 28 Jun 2024 12:23:56 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137479#M590320 michael18 2024-06-28T12:23:56Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137489#M590321 <P>in this screen i see its using wired-dot1x policy from a wireless device. NAS is the WLC</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture1.JPG" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/221896iC84379D428760C13/image-size/medium?v=v2&amp;px=400" role="button" title="Capture1.JPG" alt="Capture1.JPG" /></span></P><P> </P> Fri, 28 Jun 2024 12:33:34 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137489#M590321 michael18 2024-06-28T12:33:34Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137559#M590322 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/21339">@michael18</a> </P> <P>The connection is processed by the Wired-Dot1x Policy Set because you are currently matching on username starts with "host/"&nbsp;&nbsp; (albeit that rule appears to be currently disabled). Subsequently, the wireless connection is matching on the "Wired-Dot1x &gt; Default" Authentication Policy because it's not a Wired authentication.&nbsp; Set the condition on the Policy Set itself to be "Wired_802.1X" only if you want only Wired 802.1X connections processed by that policy set.&nbsp;</P> <P>Then make sure in your Wireless Policy Set you match on the condition "Wireless_802.1X"</P> Fri, 28 Jun 2024 13:49:42 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137559#M590322 Rob Ingram 2024-06-28T13:49:42Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137581#M590323 <P>Is there a reason you are not using the wired/wireless conditions in the policy set vs the rule?</P> <P>You have to think of ISE like a firewall, the conditions at the start will drop them into that policy set and run the rules. Since you are calling the host name only it will hit weather wired or wireless.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-06-28 091813.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/221936i10CB229EC99E4563/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-06-28 091813.jpg" alt="Screenshot 2024-06-28 091813.jpg" /></span></P> Fri, 28 Jun 2024 14:23:01 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137581#M590323 Dustin Anderson 2024-06-28T14:23:01Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137587#M590324 <P>Aw of course. That makes sense now you point it out.</P><P>thanks</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Jun 2024 14:39:29 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5137587#M590324 michael18 2024-06-28T14:39:29Z https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5138320#M590348 <P>Hi Dustan</P><P>just lack of experience, following guides and videos. There seems to be many ways to build ISE policies but I do see the benefit in the way you set it out. Its given me a bit to think about going forward.</P><P>Thanks</P><P>&nbsp;</P> Mon, 01 Jul 2024 07:07:21 GMT https://community.cisco.com/t5/network-access-control/dot1x-ise-policy/m-p/5138320#M590348 michael18 2024-07-01T07:07:21Z