Skip to content

Authorization Rule

Location in GUI: Work Centers » Network Access » Policy Sets » XXX » Authorization Policy

Diagram
NameTypeConstraintMandatoryDefault Value
authorization_rulesList[authorization_rules]No

authorization_rules (ise.network_access.policy_sets)

Section titled “authorization_rules (ise.network_access.policy_sets)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[\w\d_\-\. ]+$Yes
stateChoiceenabled, disabledNoenabled
conditionClass[condition]No
profilesListStringNo
security_groupStringNo

condition (ise.network_access.policy_sets.authorization_rules)

Section titled “condition (ise.network_access.policy_sets.authorization_rules)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNofalse
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.network_access.policy_sets.authorization_rules.condition)

Section titled “children (ise.network_access.policy_sets.authorization_rules.condition)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlockYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo
childrenList[children]No

children (ise.network_access.policy_sets.authorization_rules.condition.children)

Section titled “children (ise.network_access.policy_sets.authorization_rules.condition.children)”
NameTypeConstraintMandatoryDefault Value
typeChoiceConditionReference, ConditionAttributesYes
is_negateBooleantrue, falseNo
dictionary_nameStringNo
attribute_nameStringNo
operatorChoicecontains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWithNo
attribute_valueStringNo
nameStringNo

Example1: Office_Clients authorization rule

This example demonstrates how to configure an authorization rule under the policy_set Global Policy. The authorization rule name is Office_Clients. It uses the AD Join Point AD_Join to query the endpoint, and if the endpoint is part of the AD group ciscolab.local/Users/DC1, then the authorization profile Office_Clients_Profile and the security group Office_Clients_SGT are applied.

ise:
network_access:
policy_sets:
- name: Global Policy
authorization_rules:
- name: Office_Clients
state: enabled
condition:
type: ConditionAttributes
dictionary_name: AD_Join
attribute_name: ExternalGroups
operator: equals
attribute_value: ciscolab.local/Users/DC1
profiles:
- Office_Clients_Profile
security_group: Office_Clients_SGT