Solved: Re: ISE selecting wrong Device Admin Policy

Jeroen1001 · ‎02-28-2018

Dear expert,

I'm talking about the section under Work Centers > Device Administration > Device Admin Policy Sets.

In our setup, the device is present under 2 distinct Network Device Groups. One time using a supernet /24 (management subnet) and one time using a /32. This /32 is the devices' host address which is also part of the supernet of course .I'm talking about the section Administration > Network Device Groups

It appears ISE selects the Device Admin Policy based the most specific prefix. So the policy with the /32 will always win.

However, I want it to select the policy based on the order in which it is defined at Work Centers > Device Administration > Device Admin Policy Sets

So basically I want it to cycle through the defined policies like an ACL.

- Check first policy. No Match? Check second policy and so on.

Please explain how to do this.

Many thanks in advance.

ognyan.totev · ‎03-01-2018

By default ISE always match first rule match applied.If first not match it continue to the next rule and etc.

It is important how you order rules.

View solution in original post

ognyan.totev · ‎03-01-2018

By default ISE always match first rule match applied.If first not match it continue to the next rule and etc.

It is important how you order rules.

Jeroen1001 · ‎03-07-2018

It appears not to do this. It always goes to the same policy linked to the most specific IP. I can't find what's wrong so I decided to open a ticket with support!