Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1914
Views
5
Helpful
11
Replies

ISE TACACS Device Fitlers

Go to solution
awatson20
Level 4
Level 4

‎10-21-2016 10:43 AM - edited ‎03-11-2019 12:10 AM

I am migrating from ACS to ISE for TACACS.  In ACS, we used device filters to define a list of network devices, and used that to create rules to match or not match within access policies.  I am cannot figure out how to do the same function in ISE.  

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to awatson20

‎10-21-2016 12:54 PM

Yo can do that by selecting "Network access: Device IP address"

Hope it answers your query.

Regards

Gagan

ps : rate as correct if it helps!!!!

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎10-21-2016 12:40 PM

In ISE, in order to create device filter, the option has changed to compound condition.

Work Centers > device administration > policy elements > conditions > Authorization compound condition.

You can create a rule where you can 'n' number of device type in it by selecting Create New condition.

Regards

Gagan

ps : rate as correct if it helps!!!!

Go to solution
awatson20
Level 4
Level 4
In response to Gagandeep Singh

‎10-21-2016 12:49 PM

But how do you create/define a list of IP Addresses from a Compound condition based on IP Address?  For example, I want to define a list of IP Addresses and then apply that to a policy rule to match or to not match?

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to awatson20

‎10-21-2016 12:54 PM

Yo can do that by selecting "Network access: Device IP address"

Hope it answers your query.

Regards

Gagan

ps : rate as correct if it helps!!!!

0 Helpful

Go to solution
awatson20
Level 4
Level 4
In response to Gagandeep Singh

‎10-21-2016 12:56 PM

Thanks.
0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to awatson20

‎10-21-2016 01:35 PM

Let me know if that works for you or not.

Use this thread for any concerns.

Regards

Gagan

ps : rate as correct if it helps!!!!

0 Helpful

Go to solution
awatson20
Level 4
Level 4
In response to Gagandeep Singh

‎10-21-2016 02:04 PM

Gagan, when creating the compound condition, where do you actually define the IP Address list?

Preview file
18 KB
0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to awatson20

‎10-21-2016 02:09 PM

The shared screenshot is correct. Just need to add IP address on the next blank option.

You can add multiple entries for the same.

0 Helpful

Go to solution
awatson20
Level 4
Level 4
In response to Gagandeep Singh

‎10-24-2016 12:06 PM

Once you have the IP Addresses defined as a compound auth condition, how do you apply that as a filter for those specific IP Addresses?  Is that under the admin policy sets?  How would the rule need to be defined?

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to awatson20

‎10-24-2016 01:20 PM

You need call the condition in Authz rule by selecting the condition.

Already shared information.

Regards

Gagan

0 Helpful

Go to solution
awatson20
Level 4
Level 4
In response to Gagandeep Singh

‎10-25-2016 12:19 PM

This works, but is it possible to create compound condition using a network range instead of a single IP Address?  Such as 172.31.2.0/24, instead of having to list them individually.

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to awatson20

‎10-25-2016 01:41 PM

No you have to create individual IPs' :).

Regards

Gagan

ps : rate if it helps!!!

0 Helpful
Customers Also Viewed These Support Documents