We were trying to create a condition to match an AD attribute to a null/blank value. We tried few regex expression values like null, =null, ^$ in the value field, but still we were not able to match the authorization condition. the condition algorithm goes like this
If AD attribute = "null value"
then
Auhorization result: Deny Access
Please advise which value or which approach would work?
Why not specify rules that match conditions/attributes above a default rule which denies access? This would deny the null/blank values which would not be match in the more specific rules above.
There is a bug on ISE that causes the endpoint profile/endpoint group to be modified from a valid value into: blank/unknown/profiled after successful authentication. Instead of using the AUTHZ Policies, I was playing with the PURGE process of ISE trying to delete those blank entries from the Endpoint DB, no luck. I am working with TAC on this issue (there is another way to do this but requires root access). So looks likes the same applies to AUTHZ Policies. I wanted to remove invalid entries from the Endpoint DB.
