cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

401
Views
15
Helpful
8
Replies
jan.murin
Beginner

ISE condition based on network device object

Hi everyone,

I would like to know if it is possible to use a network device from the ISE database as a condition in the policy rule.

I can set the condition based on the network device IP address, but what if I change the IP address of the device. Than I need to change it in the database and also in the rule condition as it is not "linked".

There should be an option to set the condition  from network device equals dropdown menu with the list of all network devices.

I hope I described what I am missing.

Thanks a lot.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi @jan.murin 

 in other words, you are trying to find something like a "Network Device SID", that you can "link this object" to the Policy Rule ... if the Hostname or IP Addr changes, the SID will remains the same ... my understanding is correct?

 

 

View solution in original post

AFAIK, the main 'key' that ISE uses for a Network Device object in the database is the 'IP/Mask' value. All other attribute values are tied to that 'key' so there is no unique ID that ISE generates in the DB for that Network Device Object.

As such, I don't believe what you are trying to do is possible in current versions of ISE.

View solution in original post

8 REPLIES 8
Mike.Cifelli
VIP Advocate

In your global policy conditions you have the ability to utilize the following conditions that may meet your requirement:

Device:DeviceType

Device:DeviceLocation

You have several options/filters to match when using these conditions.  I have used these conditions plenty of times and been able to meet several unique desires when doing so.  What is your end goal?

Yeap I know about that options, but still would be nice if I can use the network device itself.

If I pick device name or device IP address, that are just strings which are not linked to the database, so if i change the network device attributes I still need to change also the conditions.

Rob Ingram
VIP Mentor

@jan.murin 

You can create a Network Device Group, make the Network Device a member of the group. In the AuthC/AuthZ rules you can use the condition DEVICE-Device-Type EQUALS All Device Types#<name>. You can add multiple IP addresses to a Network Device object if required.

 

081719_1359_isewireddot6.png

HTH

Marcelo Morais
Advocate

Hi @jan.murin ,

 you can also use the Network Device Name:

devicename.png

 

Hope this helps !!!

Network Device name has the same problem as Network device IP address. You just type in the name of the device, but if the name changes, you have to change it also in the rule condition. If you could just "link" the object of the network device, every change in the object would also reflect in the condtion which uses the object.

You can make a condition based on the identity group name where you pick the name of the existing group, If you change the identity group name, you don't need to worry about the condition using that group name.

Hi @jan.murin 

 in other words, you are trying to find something like a "Network Device SID", that you can "link this object" to the Policy Rule ... if the Hostname or IP Addr changes, the SID will remains the same ... my understanding is correct?

 

 

View solution in original post

Not exactly, I just want to be able to pick a network device from ISE network device database in the condition in the same way I can pick a Identity group. So if I change some attributes of the network device in the database the condition will still match that device.

If I set the condition based on the Network Access Device IP address and than later I change the IP address of the device in the database, I have to change it also in the condition or the rule will not be matched.

I hope I am describing it correctly.

AFAIK, the main 'key' that ISE uses for a Network Device object in the database is the 'IP/Mask' value. All other attribute values are tied to that 'key' so there is no unique ID that ISE generates in the DB for that Network Device Object.

As such, I don't believe what you are trying to do is possible in current versions of ISE.

View solution in original post

Content for Community-Ad