Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1403
Views
15
Helpful
6
Replies

Customize Compound condition

Go to solution
Ibrahim Jamil
Level 6
Level 6

‎11-12-2017 08:36 AM - edited ‎02-21-2020 10:38 AM

Hello guys

 

Where the Tab in ISE 2.1  so that i can  i create new "Compound condition" to make a group of condition like wired_mab and wireless_mab in new customized one named MAB

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
agrissimanis
Level 1
Level 1
In response to Ibrahim Jamil

‎11-13-2017 03:56 AM - edited ‎11-13-2017 04:00 AM

For VPN you could do something like this:

Radius:NAS-Port-Type EQUALS Virtual AND

DEVICE:Device Type EQUALS Device Type#All Device Types#ASA Firewall

 

Authorization could be anything you want, for example to match on AD group membership you would do MyDomain:ExternalGroups EQUALS MyDomain/Users/VPN User Group

 

For AAA test the condition could be this:

Radius:NAS-Port-Type EQUALS Async or maybe Radius:Service-Type EQUALS Login

 

These conditions depend on what other policies you have configured and the ordering of the rules. The test requests from switches can be denied, it is not a problem. The switch just needs to see if there is a live RADIUS server, in most scenarios it doesn't matter if the authentication passes or fails.

 

View solution in original post

6 Replies 6

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-12-2017 09:22 AM

Policy > policy elements > conditions. You can select authorization
conditions and compound

Go to solution
agrissimanis
Level 1
Level 1

‎11-12-2017 09:24 AM

That would be under Policy -> Policy elements -> Conditions -> Authentication -> Compound conditions

0 Helpful

Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to agrissimanis

‎11-12-2017 10:36 AM

Hello guys

 

thanks for answering my thread

 

I didn't find it , how to create my customization Compound name it MAB and add default builtin condition  Wired_MAB & Wireless MAB

 

thanks

0 Helpful

Go to solution
agrissimanis
Level 1
Level 1
In response to Ibrahim Jamil

‎11-12-2017 12:57 PM - edited ‎11-12-2017 12:59 PM

As we mentioned before compound conditions can be defined under Policy -> Policy elements -> Conditions -> Authentication -> Compound conditions.
Compound conditions can contain multiple Simple conditions or custom attribute/value pairs, but they can't contain other Compound conditions within them. Both Wired_MAB & Wireless_MAB are compound conditions themselves.
For example, Cisco Wireless_MAB compound condition contains the following:
Radius:NAS-Port-Type = Wireless - IEEE 802.11
Radius:Service-Type = Call Check
So you would first need to create a bunch of simple conditions and then add them to your Compound condition.

Where do you want to use your new Compound condition? Are you unable to use OR operator to check for both Wired_MAB OR Wireless MAB?

 

Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to agrissimanis

‎11-12-2017 11:54 PM

Hello agrissimanis

 

very informative answer from you , let me learn from you

 

for

a) VPN Rule , what would be the conditions for both Authentication and Authorization policy

 

b) for normal AAA test from device to cisco ISE , what would be the rule , as i have the default Authentication and authorization policy with DenyAccess

 

thanks

0 Helpful

Go to solution
agrissimanis
Level 1
Level 1
In response to Ibrahim Jamil

‎11-13-2017 03:56 AM - edited ‎11-13-2017 04:00 AM

For VPN you could do something like this:

Radius:NAS-Port-Type EQUALS Virtual AND

DEVICE:Device Type EQUALS Device Type#All Device Types#ASA Firewall

 

Authorization could be anything you want, for example to match on AD group membership you would do MyDomain:ExternalGroups EQUALS MyDomain/Users/VPN User Group

 

For AAA test the condition could be this:

Radius:NAS-Port-Type EQUALS Async or maybe Radius:Service-Type EQUALS Login

 

These conditions depend on what other policies you have configured and the ordering of the rules. The test requests from switches can be denied, it is not a problem. The switch just needs to see if there is a live RADIUS server, in most scenarios it doesn't matter if the authentication passes or fails.

 

Customers Also Viewed These Support Documents