Authentication Rule

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authentication Policy

Diagram

Classes

policy_sets (ise.network_access)

Name	Type	Constraint	Mandatory	Default Value
authentication_rules	List	`[authentication_rules]`	No

authentication_rules (ise.network_access.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d\_\-\. ]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
identity_source_name	String		No
if_auth_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_user_not_found	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_process_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`DROP`

condition (ise.network_access.policy_sets.authentication_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`, `macContains`, `macEndsWith`, `macEquals`, `macIn`, `macNotContains`, `macNotEndsWith`, `macNotEquals`, `macNotIn`, `macNotStartsWith`, `macStartsWith`	No
attribute_value	String		No
name	String		No

Examples

Example-1 Network Access Authentication Rule for Wired 802.1X with EAP-TLS Certificate Authentication

This authentication rule processes wired 802.1X network access requests using EAP-TLS certificate-based authentication. The rule is enabled and matches when the Network Access:EapAuthentication attribute equals “EAP-TLS”, directing authentication to the Preloaded_Certificate_Profile identity source for certificate validation. The rule implements specific failure handling logic: if_auth_fail is set to REJECT (denying access when credentials are invalid), if_user_not_found is set to CONTINUE (allowing the policy engine to evaluate subsequent rules when the certificate is not found in the identity source), and if_process_fail is set to DROP (terminating the authentication attempt on processing errors)

ise:
  network_access:
    policy_sets:
      - name: Global Policy
        authentication_rules:
          - name: Wired_802.1X
            state: enabled
            condition:
              type: ConditionAttributes
              dictionary_name: Network Access
              attribute_name: EapAuthentication
              operator: equals
              attribute_value: EAP-TLS
            identity_source_name: Preloaded_Certificate_Profile
            if_auth_fail: REJECT
            if_user_not_found: CONTINUE
            if_process_fail: DROP

Example-2 Network Access Authentication Rule for Wireless 802.11 with EAP-TLS Certificate Authentication

This authentication rule processes wireless 802.11 network access requests using EAP-TLS certificate-based authentication. The rule uses a compound condition (ConditionAndBlock) that matches when both the Radius:NAS-Port-Type equals “Wireless - IEEE 802.11” AND the Network Access:EapAuthentication equals “EAP-TLS”, ensuring this rule only applies to wireless clients attempting certificate authentication. Authentication is performed against the Internal Users identity source for certificate validation. The rule implements strict failure handling with all failure scenarios set to deny access: if_auth_fail is REJECT (blocking invalid certificates), if_user_not_found is REJECT (denying unknown certificates), and if_process_fail is DROP (terminating on processing errors).

ise:
  network_access:
    policy_sets:
      - name: Global Policy
        authentication_rules:
          - name: Wireless_EAP_TLS_Authentication
            state: enabled
            condition:
              type: ConditionAndBlock
              children:
                - type: ConditionAttributes
                  dictionary_name: Radius
                  attribute_name: NAS-Port-Type
                  operator: equals
                  attribute_value: Wireless - IEEE 802.11
                - type: ConditionAttributes
                  dictionary_name: Network Access
                  attribute_name: EapAuthentication
                  operator: equals
                  attribute_value: EAP-TLS
            identity_source_name: Internal Users
            if_auth_fail: REJECT
            if_user_not_found: REJECT
            if_process_fail: DROP

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authentication Policy

Diagram

Classes

policy_sets (ise.network_access)

Name	Type	Constraint	Mandatory	Default Value
authentication_rules	List	`[authentication_rules]`	No

authentication_rules (ise.network_access.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\.]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
identity_source_name	String		No
if_auth_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_user_not_found	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_process_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`DROP`

condition (ise.network_access.policy_sets.authentication_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  network_access:
    policy_sets:
      - name: Global Policy
        authentication_rules:
          - name: DOT1x_wired
            default: false
            state: enabled
            condition:
              type: ConditionAndBlock
              is_negate: false
              children:
                - type: ConditionAttributes
                  is_negate: false
                  dictionary_name: CERTIFICATE
                  attribute_name: Subject - Common Name
                  operator: contains
                  attribute_value: Test1
                - type: ConditionReference
                  is_negate: false
                  name: Wired_802.1X
            identity_source_name: Global_Certificate
            if_auth_fail: REJECT
            if_user_not_found: CONTINUE
            if_process_fail: DROP

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authentication Policy

Diagram

Classes

policy_sets (ise.network_access)

Name	Type	Constraint	Mandatory	Default Value
authentication_rules	List	`[authentication_rules]`	No

authentication_rules (ise.network_access.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\.]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
identity_source_name	String		No
if_auth_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_user_not_found	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_process_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`DROP`

condition (ise.network_access.policy_sets.authentication_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  network_access:
    policy_sets:
      - name: Global Policy
        authentication_rules:
          - name: DOT1x_wired
            default: false
            state: enabled
            condition:
              type: ConditionAndBlock
              is_negate: false
              children:
                - type: ConditionAttributes
                  is_negate: false
                  dictionary_name: CERTIFICATE
                  attribute_name: Subject - Common Name
                  operator: contains
                  attribute_value: Test1
                - type: ConditionReference
                  is_negate: false
                  name: Wired_802.1X
            identity_source_name: Global_Certificate
            if_auth_fail: REJECT
            if_user_not_found: CONTINUE
            if_process_fail: DROP

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authentication Policy

Diagram

Classes

policy_sets (ise.network_access)

Name	Type	Constraint	Mandatory	Default Value
authentication_rules	List	`[authentication_rules]`	No

authentication_rules (ise.network_access.policy_sets)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d_\-\.]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
identity_source_name	String		No
if_auth_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_user_not_found	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_process_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`DROP`

condition (ise.network_access.policy_sets.authentication_rules)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No	`false`
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`, `ConditionAndBlock`, `ConditionOrBlock`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No
children	List	`[children]`	No

children (ise.network_access.policy_sets.authentication_rules.condition.children)

Name	Type	Constraint	Mandatory
type	Choice	`ConditionReference`, `ConditionAttributes`	Yes
is_negate	Boolean	`true`, `false`	No
dictionary_name	String		No
attribute_name	String		No
operator	Choice	`contains`, `endsWith`, `equals`, `greaterOrEquals`, `greaterThan`, `in`, `ipEquals`, `ipGreaterThan`, `ipLessThan`, `ipNotEquals`, `lessOrEquals`, `lessThan`, `matches`, `notContains`, `notEndsWith`, `notEquals`, `notIn`, `notStartsWith`, `startsWith`	No
attribute_value	String		No
name	String		No

Examples

ise:
  network_access:
    policy_sets:
      - name: Global Policy
        authentication_rules:
          - name: DOT1x_wired
            default: false
            state: enabled
            condition:
              type: ConditionAndBlock
              is_negate: false
              children:
                - type: ConditionAttributes
                  is_negate: false
                  dictionary_name: CERTIFICATE
                  attribute_name: Subject - Common Name
                  operator: contains
                  attribute_value: Test1
                - type: ConditionReference
                  is_negate: false
                  name: Wired_802.1X
            identity_source_name: Global_Certificate
            if_auth_fail: REJECT
            if_user_not_found: CONTINUE
            if_process_fail: DROP

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[\w\d\_\-\. \(\)]+$`	Yes
state	Choice	`enabled`, `disabled`, `monitor`	No	`enabled`
condition	Class	`[condition]`	No
identity_source_name	String		No
if_auth_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_user_not_found	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`REJECT`
if_process_fail	Choice	`REJECT`, `CONTINUE`, `DROP`	No	`DROP`