08-14-2013 03:40 AM - edited 03-10-2019 08:46 PM
Hi ,
I wanna create a authorization Policy using two identity Group as condition . But i juste heve "OR " as operator for those two condition !!I wanna i use operator and is this Possible ???
08-16-2013 07:18 AM
Configuring Policy Elements Conditions
Cisco ISE provides a way to create conditions that are individual, reusable policy elements that can be referred from other rule-based policies. Whenever a policy is being evaluated, the conditions that comprise it are evaluated first.
Under Policy > Policy Elements > Conditions, the initial Conditions pane displays the following policy
element condition options: Authentication, Authorization, Profiling, Posture, Guest, and Common.
Simple Conditions
Simple Condition Format
This type uses the form attribute operand value. Rule-based conditions are essentially a comparison of values (the attribute with its value), and these can be saved and reused in other rule-based policies. Simple conditions take the format of A operand B, where A can be any attribute from a Cisco ISE dictionary and B can be one of the values that attribute A can take.
Compound Conditions
Compound Condition Format
Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition that includes authorization checks that can return one or more authorization profiles. This condition type comprises one or more simple conditions that use an AND or OR relationship. These are built on top of simple conditions and can be saved and reused in other rule-based policies. Compound Conditions can take any of the following forms:
• (X operand Y) AND (A operand B) AND (X operand Z) AND ... (so on)
• (X operand Y) OR (A operand B) OR (X operand Z) OR ... (so on)
(*Where X and A are attributes from the Cisco ISE dictionary and can include username and device type.
For example, compound conditions can take the following form:
– DEVICE: Model Name Matches Catalyst6K AND Network Access: Use Case Equals Host
Lookup.)
Creating New Authorization Policy Element Conditions
Use this procedure to create new authorization policy element conditions (simple or compound).
To create new authorization policy element conditions, complete the following steps:
Step 1 Click Policy > Policy Elements> Conditions > Authorization> Simple Conditions (or Compound
Conditions).
The Conditions page appears listing all existing configured authorization policy element conditions.
Step 2 To create a new simple condition, click Create.
The Simple Conditions page displays.
Step 3 Enter values in the following fields to define a new simple condition:
• Name—Enter the name of the simple condition.
• Description—Enter the description of the simple condition.
• Attribute—Click to choose a dictionary from the drop-down list of dictionary options, and choose an
attribute from the corresponding attribute choices.
• Operator—Enter Equals or Not Equals.
• Value—Enter a value that matches the selected attribute.
Step 4 Click Submit to save your changes to the Cisco ISE database and create this authorization condition.
The Name, Attribute, Operator, and Value fields in simple conditions are required and are marked with an asterisk (*).
For Complete Reference visit:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.pdf
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: