Skip to content

Authentication Rule

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authentication Policy

Diagram
NameTypeConstraintMandatoryDefault Value
authentication_rulesList[authentication_rules]No

authentication_rules (ise.network_access.policy_sets)

Section titled “authentication_rules (ise.network_access.policy_sets)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[\w\d_\-\.]+$Yes
stateChoiceenabled, disabled, monitorNoenabled
conditionClass[condition]No
identity_source_nameStringNo
if_auth_failChoiceREJECT, CONTINUE, DROPNoREJECT
if_user_not_foundChoiceREJECT, CONTINUE, DROPNoREJECT
if_process_failChoiceREJECT, CONTINUE, DROPNoDROP

condition (ise.network_access.policy_sets.authentication_rules)

Section titled “condition (ise.network_access.policy_sets.authentication_rules)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNofalse
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.network_access.policy_sets.authentication_rules.condition)

Section titled “children (ise.network_access.policy_sets.authentication_rules.condition)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.network_access.policy_sets.authentication_rules.condition.children)

Section titled “children (ise.network_access.policy_sets.authentication_rules.condition.children)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributesYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo

Example1: Wired_802.1X authentication rule

This example demonstrates how to configure an authentication rule under the policy_set Global Policy. The authentication rule name is Wired_802.1X. It uses EAP-TLS as the authentication condition and validates against the certificate profile Preloaded_Certificate_Profile.

  • If authentication passes, the system evaluates authorization rules.
  • If authentication fails, the endpoint is denied access to the network.
  • If the endpoint is not found, the system continues to evaluate the next rule in sequence.
  • If the process fails, the session is dropped.
ise:
network_access:
policy_sets:
- name: Global Policy
authentication_rules:
- name: Wired_802.1X
state: enabled
condition:
type: ConditionAttributes
dictionary_name: Network Access
attribute_name: EapAuthentication
operator: equals
attribute_value: EAP-TLS
identity_source_name: Preloaded_Certificate_Profile
if_auth_fail: REJECT
if_user_not_found: CONTINUE
if_process_fail: DROP