Authentication Rule
Location in GUI: Work Centers » Device Administration » Device Admin Policy Sets » XXX » Authentication Policy
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”policy_sets (ise.device_administration)
Section titled “policy_sets (ise.device_administration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| authentication_rules | List | [authentication_rules] | No |
authentication_rules (ise.device_administration.policy_sets)
Section titled “authentication_rules (ise.device_administration.policy_sets)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\.]+$ | Yes | |
| state | Choice | enabled, disabled, monitor | No | enabled |
| condition | Class | [condition] | No | |
| identity_source_name | String | No | ||
| if_auth_fail | Choice | REJECT, CONTINUE, DROP | No | REJECT |
| if_user_not_found | Choice | REJECT, CONTINUE, DROP | No | REJECT |
| if_process_fail | Choice | REJECT, CONTINUE, DROP | No | DROP |
condition (ise.device_administration.policy_sets.authentication_rules)
Section titled “condition (ise.device_administration.policy_sets.authentication_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | false |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
children (ise.device_administration.policy_sets.authentication_rules.condition)
Section titled “children (ise.device_administration.policy_sets.authentication_rules.condition)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
children (ise.device_administration.policy_sets.authentication_rules.condition.children)
Section titled “children (ise.device_administration.policy_sets.authentication_rules.condition.children)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| name | String | No |
Examples
Section titled “Examples”ise: device_administration: policy_sets: - name: Global Policy authentication_rules: - name: User1 default: false state: enabled condition: type: ConditionAttributes is_negate: false dictionary_name: TACACS attribute_name: User operator: equals attribute_value: User1 identity_source_name: Internal Users if_auth_fail: REJECT if_user_not_found: CONTINUE if_process_fail: DROP