cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

67
Views
0
Helpful
2
Replies
Beginner

ISE selecting wrong Device Admin Policy

Dear expert,

I'm talking about the section under Work Centers > Device Administration > Device Admin Policy Sets.

In our setup, the device is present under 2  distinct Network Device Groups. One time using a supernet /24 (management subnet) and one time using a /32. This /32 is the devices' host address which is also part of the supernet of course .I'm talking about the section Administration > Network Device Groups

It appears ISE selects the Device Admin Policy based the most specific prefix. So the policy with the /32 will always win.

However, I want it to select the policy based on the order in which it is defined at Work Centers > Device Administration > Device Admin Policy Sets

So basically I want it to cycle through the defined policies like an ACL.

- Check first policy. No Match? Check second policy and so on.

Please explain how to do this.

Many thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

Re: ISE selecting wrong Device Admin Policy

By default ISE always match first rule match applied.If first not match it continue to the next rule and etc.

It is important how you order rules.

View solution in original post

2 REPLIES 2
Highlighted
Contributor

Re: ISE selecting wrong Device Admin Policy

By default ISE always match first rule match applied.If first not match it continue to the next rule and etc.

It is important how you order rules.

View solution in original post

Highlighted
Beginner

Re: ISE selecting wrong Device Admin Policy

It appears not to do this. It always goes to the same policy linked to the most specific IP. I can't find what's wrong so I decided to open a ticket with support!