cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

188
Views
15
Helpful
9
Replies
Highlighted
Contributor

Authorization policy: Using the contains operator

Hi Experts,

I would like to get some information regarding the behavior of the contains operator.

So, here I have two authentication policy, with called-station-ID contains Cisco and another one with called-station-ID contains Cisco1

When a user connects to SSID Cisco, the policy with SSID Cisco1 will not be evaluated and the policy containing Cisco will be evaluated?

My question is here is that since I am using contains operator here, does it match the entire string or it looks for the Cisco in Cisco1 and select that policy?

So, when a user connects to SSID Cisco, which policy will be evaluated? the one with Cisco1 or Cisco?

Everyone's tags (3)
9 REPLIES 9
Beginner

Re: Authorization policy: Using the contains operator

Are you talking about authentication policies or authorization rules? If the latter, then the first match rule will win.
VIP Engager

Re: Authorization policy: Using the contains operator

You would need to put the more specific match first.  In your case Cisco1.

Re: Authorization policy: Using the contains operator

Hi,

Contains will match whole string and authorization policy works in order,if called station Id contains Cisco1 is first rule & cisco is second rule.user connects to Cisco ssid will be evaluated with Cisco policy.

 

Thanks,

Aravind

-Aravind
Contributor

Re: Authorization policy: Using the contains operator

So, if I configure the policy as follows:called station ID.JPG

 If a user connects to SSID "Cisco", then also he will be evaluated based on the policy containing "Cisco1"? Right? :/

 

 

Re: Authorization policy: Using the contains operator

No,if user connects to Cisco ssid he will be evaluated based on second policy sets as the first policy sets doesn't match the ssid name.

Also in policy sets you are using equals not contains.

-Aravind
Contributor

Re: Authorization policy: Using the contains operator

The previous ones were created in a hurry just to visualize what I was trying to explain, here is the correct ones;called station ID.JPG

Now this proves, when the user selects Cisco SSID, he will be evaluated based on policy for Cisco and not from Cisco1, right?

This also shows that, the entire string is matched. 

 

 

Re: Authorization policy: Using the contains operator

Yes right, if it matches Cisco SSID & 802.1x

 

Thanks 

Aravind

-Aravind
Cisco Employee

Re: Authorization policy: Using the contains operator

Hi Dinesh, 

you can use the "Matches" operand to match the exact ssid. 

VIP Engager

Re: Authorization policy: Using the contains operator

The matches would allow you to specify Regex to do an exact match, but you can also just use the ends with.  

 

Ends with Cisco and Ends  with Cisco1 do not overlap.