cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
551
Views
5
Helpful
3
Replies
Highlighted

[Solved] Ise does not match custom policy attributes!!!

example

authentication policy

if guest - and -

device location starts with : building_1 then GuestAccess

everithing goes fine

but

if MicrosoftWorkstation - and -

device location starts with : building_1 and IdentityGroup:Name MATCH Guest then GuestAcces

does not work!!! (match starts with equals etc...)

or

if Guest  and -

device location starts with : building_1 AND IdentityGroup:Name MATCH Microsoft then GuestAcces

does not work!!! (match starts with equals etc...)

it doesn't even match the string "a" or "i" or "o"

this is to grant guest access only to microsoft workstation or apple devices after being profiled

what's the problem?

Everyone's tags (5)
3 REPLIES 3
Cisco Employee

Ise does not match custom policy attributes!!!

Hello Giuliano-

I have used the location field to build policies before and never had the problem. Can you provide some additional info:

  • What version of ISE are you using
  • Do you see a failed authentication in your live authentication window. If so can you post:
    • The reason for the failure
    • The detailed output of the failed attenuation. More specifically the output that contains all of the matched Radius attributes.

Ise does not match custom policy attributes!!!

thanks neno and sorry for the late reply

that is solved here

https://supportforums.cisco.com/message/3759554#3759554

with a tricky workaround...

Cisco Employee

Ise does not match custom policy attributes!!!

Glad that you found a solution and posting it back! I guess this thread can be closed/makred as answered then

Thanks,