Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Using identy Group as condition

Hi ,

I wanna create a authorization Policy using two identity Group as condition . But i juste heve "OR " as operator for those two condition !!I wanna i use operator and is this Possible ???

1 REPLY
Bronze

Re: Using identy Group as condition

Configuring Policy Elements Conditions

Cisco ISE provides a way to create conditions that are individual, reusable policy elements that can be referred from other rule-based policies. Whenever a policy is being evaluated, the conditions that comprise it are evaluated first.

Under Policy > Policy Elements > Conditions, the initial Conditions pane displays the following policy

element condition options: Authentication, Authorization, Profiling, Posture, Guest, and Common.

Simple Conditions

Simple Condition Format

This type uses the form attribute operand value. Rule-based conditions are essentially a comparison of values (the attribute with its value), and these can be saved and reused in other rule-based policies. Simple conditions take the format of A operand B, where A can be any attribute from a Cisco ISE dictionary and B can be one of the values that attribute A can take.

Compound Conditions

Compound Condition Format

Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition that includes authorization checks that can return one or more authorization profiles. This condition type comprises one or more simple conditions that use an AND or OR relationship. These are built on top of simple conditions and can be saved and reused in other rule-based policies. Compound Conditions can take any of the following forms:

• (X operand Y) AND (A operand B) AND (X operand Z) AND ... (so on)

• (X operand Y) OR (A operand B) OR (X operand Z) OR ... (so on)

(*Where X and A are attributes from the Cisco ISE dictionary and can include username and device type.

For example, compound conditions can take the following form:

– DEVICE: Model Name Matches Catalyst6K AND Network Access: Use Case Equals Host

Lookup.)

Creating New Authorization Policy Element Conditions

Use this procedure to create new authorization policy element conditions (simple or compound).

To create new authorization policy element conditions, complete the following steps:

Step 1 Click Policy > Policy Elements> Conditions > Authorization> Simple Conditions (or Compound

Conditions).

The Conditions page appears listing all existing configured authorization policy element conditions.

Step 2 To create a new simple condition, click Create.

The Simple Conditions page displays.

Step 3 Enter values in the following fields to define a new simple condition:

Name—Enter the name of the simple condition.

Description—Enter the description of the simple condition.

Attribute—Click to choose a dictionary from the drop-down list of dictionary options, and choose an

attribute from the corresponding attribute choices.

Operator—Enter Equals or Not Equals.

Value—Enter a value that matches the selected attribute.

Step 4 Click Submit to save your changes to the Cisco ISE database and create this authorization condition.

The Name, Attribute, Operator, and Value fields in simple conditions are required and are marked with an asterisk (*).

For Complete Reference visit:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.pdf

242
Views
0
Helpful
1
Replies
CreatePlease to create content