Condition
Location in GUI:
Work Centers » Network Access » Policy Elements » Conditions » Library Conditions
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”policy_elements (ise.network_access)
Section titled “policy_elements (ise.network_access)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| conditions | List | [conditions] | No |
conditions (ise.network_access.policy_elements)
Section titled “conditions (ise.network_access.policy_elements)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\.]+$ | No | |
| type | Choice | LibraryConditionAttributes, LibraryConditionAndBlock, LibraryConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | false |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| description | String | No | ||
| children | List | [children] | No |
children (ise.network_access.policy_elements.conditions)
Section titled “children (ise.network_access.policy_elements.conditions)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\.]+$ | No | |
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| description | String | No | ||
| children | List | [children] | No |
Examples
Section titled “Examples”Example-1 Network Access Policy Element Condition for Certificate Expiration Validation
This example demonstrates a network access policy element condition configured to validate certificate expiration status. The condition “CertificateNotExpired” is a library condition of type LibraryConditionAttributes, which creates a reusable condition that can be referenced across multiple policy sets and authorization rules. The condition evaluates the CERTIFICATE dictionary attribute “Is Expired” using an equals operator to match the value “False”, with is_negate set to false for straightforward validation. When this condition is evaluated during certificate-based authentication (such as EAP-TLS), it verifies that the presented certificate is currently valid and not expired, allowing the authentication to proceed only with valid certificates.
ise: network_access: policy_elements: conditions: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false dictionary_name: CERTIFICATE attribute_name: Is Expired operator: equals attribute_value: "False"Example-2 Network Access Policy Element Condition for Wireless IEEE 802.11 Connection Type
This example demonstrates a network access policy element condition configured to identify wireless network connections. The condition “WirelessConnection” is a library condition of type LibraryConditionAttributes, creating a reusable condition that can be referenced across multiple policy sets and authorization rules. The condition evaluates the RADIUS dictionary attribute “NAS-Port-Type” using an equals operator to match the value “Wireless - IEEE 802.11”, with is_negate set to false for direct matching. When this condition is evaluated during network authentication, it identifies sessions originating from wireless access points using IEEE 802.11 protocols, distinguishing them from wired Ethernet, VPN, or other connection types
ise: network_access: policy_elements: conditions: - name: WirelessConnection type: LibraryConditionAttributes is_negate: false dictionary_name: Radius attribute_name: NAS-Port-Type operator: equals attribute_value: Wireless - IEEE 802.11 description: Matches wireless IEEE 802.11 connectionsExample-3 Network Access Policy Element Condition with OR Block for Multiple User Identity Groups
This example demonstrates a network access policy element condition configured to match privileged users across multiple identity groups using OR logic. The condition “PrivilegedUsers” is a library condition of type LibraryConditionOrBlock, creating a reusable condition that can be referenced throughout policy sets and authorization rules. The condition evaluates three alternative IdentityGroup membership criteria using child ConditionAttributes: “User Identity Groups:Managers”, “User Identity Groups:IT_Staff”, and “User Identity Groups:Executives”. When this condition is evaluated, it returns true if the authenticating user belongs to ANY of these three identity groups, providing flexible matching logic.
ise: network_access: policy_elements: conditions: - name: PrivilegedUsers type: LibraryConditionOrBlock description: Managers, IT Staff, or Executives children: - type: ConditionAttributes dictionary_name: IdentityGroup attribute_name: Name operator: equals attribute_value: User Identity Groups:Managers - type: ConditionAttributes dictionary_name: IdentityGroup attribute_name: Name operator: equals attribute_value: User Identity Groups:IT_Staff - type: ConditionAttributes dictionary_name: IdentityGroup attribute_name: Name operator: equals attribute_value: User Identity Groups:ExecutivesLocation in GUI:
Work Centers » Network Access » Policy Elements » Conditions » Library Conditions
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”policy_elements (ise.network_access)
Section titled “policy_elements (ise.network_access)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| conditions | List | [conditions] | No |
conditions (ise.network_access.policy_elements)
Section titled “conditions (ise.network_access.policy_elements)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\.]+$ | No | |
| type | Choice | LibraryConditionAttributes, LibraryConditionAndBlock, LibraryConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | false |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| description | String | No | ||
| children | List | [children] | No |
children (ise.network_access.policy_elements.conditions)
Section titled “children (ise.network_access.policy_elements.conditions)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\.]+$ | No | |
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| description | String | No | ||
| children | List | [children] | No |
Examples
Section titled “Examples”ise: network_access: policy_elements: conditions: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false dictionary_name: CERTIFICATE attribute_name: Is Expired operator: equals attribute_value: "False"Location in GUI:
Work Centers » Network Access » Policy Elements » Conditions » Library Conditions
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”policy_elements (ise.network_access)
Section titled “policy_elements (ise.network_access)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| conditions | List | [conditions] | No |
conditions (ise.network_access.policy_elements)
Section titled “conditions (ise.network_access.policy_elements)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\.]+$ | No | |
| type | Choice | LibraryConditionAttributes, LibraryConditionAndBlock, LibraryConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | false |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith | No | |
| attribute_value | String | No | ||
| description | String | No | ||
| children | List | [children] | No |
children (ise.network_access.policy_elements.conditions)
Section titled “children (ise.network_access.policy_elements.conditions)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\.]+$ | No | |
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith | No | |
| attribute_value | String | No | ||
| description | String | No | ||
| children | List | [children] | No |
Examples
Section titled “Examples”ise: network_access: policy_elements: conditions: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false dictionary_name: CERTIFICATE attribute_name: Is Expired operator: equals attribute_value: "False"