ISE Authorization Compound Condition

Nicholas Copeland · ‎08-16-2012

I am trying to add a compound condition that points to an internal identity group in an authoirization profile. Something like the rule below.However the rule never gets applied for users in the IT identity group. It moves to the next rule down and applies permissions based off another rule specific for just the device type. If I change the rule conditions to use the identity group instead of the device type it works. However, I want to limit the rule to device type and Identity group. Any ideas would be appreciated.

Rule Name: test Conditions: Android and IT (Expression: InternalUser:IdentityGroup EQUALS IT) then PermitAccess

Venkatesh Attuluri · ‎05-11-2013

try creating device groups and match them

Network Device Groups List > New Network Device Type

Network Device Groups

* Name

Description

* Type

Authentication RulesEnabled	Name		Condition		Protocols		Identity Source	Options

✓	TestAuthentications	IF	Device:Device Type = Device Type#All Device Types#Test	allowprotocols	DefaultNetworkAccess	and use	demo.local	RejectRejectDrop
✓	MAB	IF	Wired_MAB	allowprotocols	DefaultNetworkAccess	and use	InternalEndpoints	RejectRejectDrop
✓	Dot1X	IF	Wired_802_1X	allowprotocols	DefaultNetworkAccess	and use	AD_InternalUsers	RejectRejectDrop
✓	Default Rule(if no match)			allowprotocols	DefaultNetworkAccess	and use	Internal Users	RejectRejectDrop