Authentication Rule

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authentication Policy

Diagram

Classes

policy_sets (ise.network_access)

Name	Type	Constraint	Mandatory	Default Value
authentication_rules	List	`[authentication_rules]`	No

authentication_rules (ise.network_access.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\.]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
identity_source_name	String		No
if_auth_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_user_not_found	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_process_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`DROP`

condition (ise.network_access.policy_sets.authentication_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

Example1: Wired_802.1X authentication rule

This example demonstrates how to configure an authentication rule under the policy_set Global Policy. The authentication rule name is Wired_802.1X. It uses EAP-TLS as the authentication condition and validates against the certificate profile Preloaded_Certificate_Profile.

If authentication passes, the system evaluates authorization rules.
If authentication fails, the endpoint is denied access to the network.
If the endpoint is not found, the system continues to evaluate the next rule in sequence.
If the process fails, the session is dropped.

ise:
  network_access:
    policy_sets:
      - name: Global Policy
        authentication_rules:
          - name: Wired_802.1X
            state: enabled
            condition:
              type: ConditionAttributes
              dictionary_name: Network Access
              attribute_name: EapAuthentication
              operator: equals
              attribute_value: EAP-TLS
            identity_source_name: Preloaded_Certificate_Profile
            if_auth_fail: REJECT
            if_user_not_found: CONTINUE
            if_process_fail: DROP