Solved: Re: Cisco ISE Policy Conditions Studio "IN" Usage

Chris_Schubert · ‎06-04-2020

I have a very simple problem in that I need to bypass a set of endpoints from a policy. I am in conditions studio and am trying to use the "in". For example, as a test I am trying to use

Radius User-Name In {username list}

I've tried space delimited, then comma, coma space, pipe and haven't had success yet. Anyone have an "IN" example for me to get a clue? I'm sure once I see it, I'll feel foolish, but I am what I am. I have a lot of policies, but have never used IN before and just keep missing it. Of course, it works with one item, but after that I am failing.

I'll keep on looking for documentation or an example and keeping trying to guess at the syntax.

Thank you.

Chris_Schubert · ‎06-04-2020

I never did figure it out. I tried 8 various combinations of delimited lists. I finally bailed and with went with this MATCHES using regex string. I need to do some more testing, but it seems to work so far.

(?i)user1|user2|user3

View solution in original post

howon · ‎06-04-2020

Yes, you need to use MATCHES with regex if comparing against list of usernames defined in the condition. IN is used to find out if the user is in the existing AD/LDAP group or internal user/endpoint group.

View solution in original post

Chris_Schubert · ‎06-04-2020

I never did figure it out. I tried 8 various combinations of delimited lists. I finally bailed and with went with this MATCHES using regex string. I need to do some more testing, but it seems to work so far.

(?i)user1|user2|user3

howon · ‎06-04-2020

Yes, you need to use MATCHES with regex if comparing against list of usernames defined in the condition. IN is used to find out if the user is in the existing AD/LDAP group or internal user/endpoint group.