Policy Set
Location in GUI:
Work Centers » Network Access » Policy Sets
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”policy_sets (ise.network_access)
Section titled “policy_sets (ise.network_access)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d\_\-\. ]+$ | Yes | |
| description | String | No | ||
| state | Choice | enabled, disabled, monitor | No | enabled |
| condition | Class | [condition] | No | |
| is_proxy | Boolean | true, false | No | false |
| service_name | String | Yes |
condition (ise.network_access.policy_sets)
Section titled “condition (ise.network_access.policy_sets)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | false |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
children (ise.network_access.policy_sets.condition)
Section titled “children (ise.network_access.policy_sets.condition)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
Examples
Section titled “Examples”Example-1 Network Access Policy Set with Ethernet Port Type Filtering
This example demonstrates a Cisco ISE network access policy set configured to handle wired network authentication scenarios. The policy set “CorporateWiredPolicy” is associated with the “Default Network Access” service and uses a simple attribute-based condition to filter incoming authentication requests. The condition evaluates the RADIUS attribute “NAS-Port-Type” and matches only when it equals “Ethernet”, ensuring the policy set exclusively processes wired 802.1X authentication attempts while excluding wireless, VPN, or other connection types. This represents a fundamental policy set structure commonly used in enterprise networks to separate wired and wireless authentication policies, allowing administrators to define different authorization rules and security requirements based on physical connection type.
ise: network_access: policy_sets: - name: CorporateWiredPolicy service_name: Default Network Access condition: type: ConditionAttributes dictionary_name: Radius attribute_name: NAS-Port-Type operator: equals attribute_value: EthernetExample-2 Network Access Policy Set with Wireless Port Type and SSID Filtering
This example demonstrates a Cisco ISE network access policy set configured for corporate wireless network authentication with SSID-based filtering. The policy set “Corporate_Wireless_Policy” is enabled and associated with the “Default Network Access” service, using a ConditionAndBlock to enforce two mandatory criteria for policy evaluation. The first condition evaluates the RADIUS attribute “NAS-Port-Type” to match “Wireless - IEEE 802.11”, ensuring only wireless connections are processed. The second condition checks the “Called-Station-ID” RADIUS attribute to verify it contains “Corp-SSID”, restricting the policy set to a specific corporate wireless SSID. This AND logic configuration ensures the policy set only applies to authenticated users connecting via the designated corporate wireless network, providing network segmentation and allowing administrators to define distinct authentication and authorization rules specific to the corporate SSID while excluding other wireless networks.
ise: network_access: policy_sets: - name: Corporate_Wireless_Policy description: Policy set for corporate wireless network with SSID filtering state: enabled service_name: Default Network Access condition: type: ConditionAndBlock children: - type: ConditionAttributes dictionary_name: Radius attribute_name: NAS-Port-Type operator: equals attribute_value: Wireless - IEEE 802.11 - type: ConditionAttributes dictionary_name: Radius attribute_name: Called-Station-ID operator: contains attribute_value: Corp-SSIDExample-3 Network Access Policy Set with Virtual Port Type and Username Filtering
This example demonstrates a network access policy set configured for VPN remote access with AND logic to match multiple connection criteria. The policy set “VPN_Remote_Access_Policy” is enabled and associated with the “Default Network Access” service, using a ConditionAndBlock to evaluate two alternative conditions. The first condition checks if the RADIUS attribute “NAS-Port-Type” equals “Virtual” to identify VPN connections. The second condition evaluates “Network Access : UserName” to match a specific user “User1”, allowing the policy set to apply when any VPN connection is detected and the specific username matches.
ise: network_access: policy_sets: - name: VPN_Remote_Access_Policy description: Policy set for VPN access state: enabled service_name: Default Network Access condition: type: ConditionAndBlock children: - type: ConditionAttributes dictionary_name: Radius attribute_name: NAS-Port-Type operator: equals attribute_value: Virtual - type: ConditionAttributes dictionary_name: Network Access attribute_name: UserName operator: equals attribute_value: User1Location in GUI:
Work Centers » Network Access » Policy Sets
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”policy_sets (ise.network_access)
Section titled “policy_sets (ise.network_access)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\. ]+$ | No | |
| description | String | No | ||
| state | Choice | enabled, disabled, monitor | No | enabled |
| condition | Class | [condition] | No | |
| is_proxy | Boolean | true, false | No | false |
| service_name | String | Yes |
condition (ise.network_access.policy_sets)
Section titled “condition (ise.network_access.policy_sets)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | false |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
children (ise.network_access.policy_sets.condition)
Section titled “children (ise.network_access.policy_sets.condition)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith, macContains, macEndsWith, macEquals, macIn, macNotContains, macNotEndsWith, macNotEquals, macNotIn, macNotStartsWith, macStartsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
Examples
Section titled “Examples”ise: network_access: policy_sets: - name: Global Policy description: Global Wireless/Wired (802.1x and MAB) state: enabled condition: type: ConditionAttributes is_negate: false dictionary_name: DEVICE attribute_name: Location operator: equals attribute_value: All Locations service_name: Global Protocols is_proxy: falseLocation in GUI:
Work Centers » Network Access » Policy Sets
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”policy_sets (ise.network_access)
Section titled “policy_sets (ise.network_access)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[\w\d_\-\. ]+$ | No | |
| description | String | No | ||
| state | Choice | enabled, disabled, monitor | No | enabled |
| condition | Class | [condition] | No | |
| is_proxy | Boolean | true, false | No | false |
| service_name | String | Yes |
condition (ise.network_access.policy_sets)
Section titled “condition (ise.network_access.policy_sets)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | false |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
children (ise.network_access.policy_sets.condition)
Section titled “children (ise.network_access.policy_sets.condition)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| type | Choice | ConditionReference, ConditionAttributes, ConditionAndBlock, ConditionOrBlock | Yes | |
| is_negate | Boolean | true, false | No | |
| dictionary_name | String | No | ||
| attribute_name | String | No | ||
| operator | Choice | contains, endsWith, equals, greaterOrEquals, greaterThan, in, ipEquals, ipGreaterThan, ipLessThan, ipNotEquals, lessOrEquals, lessThan, matches, notContains, notEndsWith, notEquals, notIn, notStartsWith, startsWith | No | |
| attribute_value | String | No | ||
| name | String | No | ||
| children | List | [children] | No |
Examples
Section titled “Examples”ise: network_access: policy_sets: - name: Global Policy default: false description: Global Wireless/Wired (802.1x and MAB) state: enabled condition: type: ConditionAttributes is_negate: false dictionary_name: DEVICE attribute_name: Location operator: equals dictionary_value: null attribute_value: All Locations service_name: Global Protocols is_proxy: false