Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
15
Helpful
13
Replies

Policy Set Condition based off Multiple Locations

Go to solution
Matthew Martin
Level 5
Level 5

‎02-05-2019 12:34 PM - edited ‎02-05-2019 12:38 PM

Hello,

 

ISE v2.3

 

I would like to try and modify an existing Policy Set for Wireless Guest Access. The set I would like to use currently says:

Policy_Set.png

 

What I would like to do is add new condition so that it basically says that it will match if its either Location1 OR Location2. How can I achieve this?

 

I think if I just choose to add a new OR condition, right below Location1, then it would say: If Guest, Guest Flow and Location1 are meet then match it, OR if its Location2 then match it (*which would I think it would just ignore the Guest and Guest Flow conditions if its in Location2).

 

Thanks in Advance,

Matt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-05-2019 12:48 PM

A quick shuffle will make this work.  Use a single "and" with a nested "or" for the locations. Add as many locations as you need within the "or". 

example, I don't have identical fields to you, I just used what was available to demo. 
authz.PNG

View solution in original post

13 Replies 13

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-05-2019 12:48 PM

A quick shuffle will make this work.  Use a single "and" with a nested "or" for the locations. Add as many locations as you need within the "or". 

example, I don't have identical fields to you, I just used what was available to demo. 
authz.PNG

Go to solution
Matthew Martin
Level 5
Level 5
In response to Damien Miller

‎02-05-2019 12:58 PM

Thanks Damien!

 

Does this look correct to you for what I was explaining?

 

Policy_Set.png

 

Thanks Again,

Matt

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Matthew Martin

‎02-05-2019 01:18 PM

It will work, it just has a redundant "and".  You can pull the location "or", the network access, and radius conditions out and delete the second and.  

Move everything to the same level as the identity group at the bottom.  This will leave on the the "or" operand nested under your single "and". 

0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Damien Miller

‎02-05-2019 01:34 PM

Ok, so you're saying I should go from the top one below to the bottom one?

 

Policy_Set.png

 

-Matt

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Matthew Martin

‎02-05-2019 01:38 PM

Yes thats it, they both work, the bottom one would be preferred.

 

While it has no impact on the functionality, I also suggest keeping your rules with the same format. Ex location first, then device type, then groups etc. Just makes it easier if you're later auditing, you have an expected order. The order you pick is up entirely up to you if you want to do it that way. 

Go to solution
Matthew Martin
Level 5
Level 5
In response to Damien Miller

‎02-05-2019 02:28 PM

Ok, sounds good. Thanks again for the help!

-Matt
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Damien Miller

‎02-11-2019 09:56 AM

Hey Damien,

 

I tried getting rid of that extra AND level. But, there didn't seem like an easy way to just drag conditions to an outer level. So I ended up just trying to re-create the condition/policy set. But, after I did I noticed the icon for the Identity Group condition (*the bottom condition) is no longer the same as it was before... Any idea why that is?

 

Screenshot below:

ISE_Policy_Set.png

 

Is this going to be an issue? Not sure why it would do that when I'm selecting the "IdentityGroup" one. When I look at what the circled icon is above in the "select attribute" box that pops up, it says that icon falls under "Unclassified".

 

-Matt

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Matthew Martin

‎02-11-2019 10:07 AM

I believe it a minor bug, affecting UI only, and should not have an impact in policy evaluation.

Go to solution
Matthew Martin
Level 5
Level 5
In response to hslai

‎02-11-2019 10:43 AM

Ok got it. Thanks hslai.

-Matt
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Damien Miller

‎02-11-2019 10:17 AM - edited ‎02-11-2019 10:27 AM

We also have a Guest policy set for our remote branch offices. Basically every other location that we have besides Location 1 and Location 2 use this policy. The only real difference is that instead of using "Locations", it uses Called-Station-ID (*which we have setup for the WLC to send "AP-Name:SSID") so we check the AP name instead of location because I setup all APs in the remote branches to start with the same Prefix.

 

That policy set also had an extra AND level. And when I re-created that one all the icons changed there too...

 

Are these 2 below equivalent?

 

OLD:

ISE_Policy_Set1.png

NEW:

ISE_Policy_Set2.png

Are those 2 sets above equivalent? Wasn't sure why the top 3 conditions were sort of separated from the bottom condition with the extra "AND"...

 

Thanks Again,

Matt

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Matthew Martin

‎02-11-2019 10:40 AM

Yes, those two authorization rules will do the same thing, you have to meet all four conditions in either. Weird display bug hslai mentioned.
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Damien Miller

‎02-11-2019 10:43 AM

Ok cool, thanks for the confirmation!

-Matt
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Damien Miller

‎02-11-2019 10:45 AM

FYI...

After clicking "SAVE" at the bottom of the Policy Sets page, and the page refreshes. The icons change back to what they "should" look like.

-Matt
0 Helpful
Customers Also Viewed These Support Documents