Authentication Rules

Overview

Authentication rules determine WHO is allowed to access the network and WHICH identity source validates their credentials. Rules are evaluated top-to-bottom - the first matching rule’s identity source is used.

Authentication occurs BEFORE authorization. The flow is:

Authentication Rules → Verify WHO you are (this page)
Authorization Rules → Determine WHAT access you get (see authz-rules)

Commands

netapi ise get-auth-rules <POLICY_SET_NAME>
netapi ise add-auth-rule <POLICY_SET_NAME> <RULE_NAME> <IDENTITY_SOURCE> [OPTIONS]
netapi ise delete-auth-rule <POLICY_SET_NAME> <RULE_NAME> [OPTIONS]

List Authentication Rules

netapi ise get-auth-rules "Corp WIFI"

Shows all authentication rules in a policy set with:

Rank - Evaluation order (0 = first)
Rule Name - Descriptive name
Identity Source - Certificate profile, AD join point, or internal endpoints
If Fail - Action when authentication fails (REJECT, CONTINUE, DROP)
If Not Found - Action when user/device not found (REJECT, CONTINUE)
State - enabled/disabled

Sample output:

╭─────────────────────────────────────────────────────────────────────────────╮
│ Authentication Rules                                                        │
╰─────────────────────────────────── Corp WIFI ───────────────────────────────╯
    #    Rule Name                  Identity Source       If Fail    If Not Found    State
    0    BYOD_Certificate_Auth      BYOD_Cert_Profile     REJECT     REJECT          enabled
    1    EAP_TLS_Certificate_Auth   AD_Cert_Profile       REJECT     REJECT          enabled
    2    iPSK AuthC                 iPSKManager           REJECT     REJECT          enabled
    3    Default                    Internal Endpoints    REJECT     CONTINUE        enabled

Create Authentication Rule

# Dry run first (recommended)
netapi ise add-auth-rule "Corp WIFI" \
  "BYOD_Certificate_Auth" \
  "BYOD_Cert_Profile" \
  --dry-run

# Create BYOD certificate authentication rule
netapi ise add-auth-rule "Corp WIFI" \
  "BYOD_Certificate_Auth" \
  "BYOD_Cert_Profile" \
  --rank 0

Options

Option Description Default

Option	Description	Default
`--dict`	Dictionary name (e.g., "Network Access", "Radius")	"Network Access"
`--attr`	Attribute name (e.g., "EapAuthentication", "Wireless SSID")	"EapAuthentication"
`--value`	Attribute value to match	"EAP-TLS"
`--operator`	Comparison operator: `equals`, `contains`, `startsWith`, `endsWith`, `notEquals`	"equals"
`--if-fail`	Action when authentication fails: `REJECT`, `CONTINUE`, `DROP`	"REJECT"
`--if-not-found`	Action when user/device not found: `REJECT`, `CONTINUE`	"REJECT"
`--if-process-fail`	Action when authentication process fails: `REJECT`, `CONTINUE`, `DROP`	"DROP"
`--rank`	Rule evaluation order (0 = first, higher = later)	0
`--dry-run`	Preview changes without making them	false

--dict

Dictionary name (e.g., "Network Access", "Radius")

"Network Access"

--attr

Attribute name (e.g., "EapAuthentication", "Wireless SSID")

"EapAuthentication"

--value

Attribute value to match

"EAP-TLS"

--operator

Comparison operator: equals, contains, startsWith, endsWith, notEquals

"equals"

--if-fail

Action when authentication fails: REJECT, CONTINUE, DROP

"REJECT"

--if-not-found

Action when user/device not found: REJECT, CONTINUE

"REJECT"

--if-process-fail

Action when authentication process fails: REJECT, CONTINUE, DROP

"DROP"

--rank

Rule evaluation order (0 = first, higher = later)

--dry-run

Preview changes without making them

false

Common Identity Sources

Identity Source Use Case Example Rule

Identity Source	Use Case	Example Rule
`BYOD_Cert_Profile`	Mobile devices with Vault-issued certificates	BYOD phones/tablets
`AD_Cert_Profile`	AD-joined workstations with machine certificates	Domain computers (Windows/Linux)
`Internal Endpoints`	Local ISE identity store	Local users, MAB devices
`iPSKManager`	Identity-based PSK (iPSK)	IoT devices with unique PSKs
`INSIDE-AD`	Active Directory join point	Username/password authentication

BYOD_Cert_Profile

Mobile devices with Vault-issued certificates

BYOD phones/tablets

AD_Cert_Profile

AD-joined workstations with machine certificates

Domain computers (Windows/Linux)

Internal Endpoints

Local ISE identity store

Local users, MAB devices

iPSKManager

Identity-based PSK (iPSK)

IoT devices with unique PSKs

INSIDE-AD

Active Directory join point

Username/password authentication

Delete Authentication Rule

# Interactive confirmation
netapi ise delete-auth-rule "Corp WIFI" "BYOD_Certificate_Auth"

# Force delete (skip confirmation)
netapi ise delete-auth-rule "Corp WIFI" "BYOD_Certificate_Auth" --force

Deletes an authentication rule from a policy set.

This operation is permanent and cannot be undone. The rule is immediately removed from the policy set.

Options

Option Description

Option	Description
`--force`, `-f`	Skip confirmation prompt (use in scripts)

--force, -f

Skip confirmation prompt (use in scripts)

Sample Output

╭─────────────────────────────────────────────────────────────────────────────╮
│ Delete Authentication Rule                                                  │
╰─────────────────────────────────── Corp WIFI ───────────────────────────────╯
  Rule Name          BYOD_Certificate_Auth
  Identity Source    BYOD_Cert_Profile
  Rule ID            12de63f0-f95b-11f0-b76e-52c54a1d1f56

Are you sure you want to delete authentication rule 'BYOD_Certificate_Auth'? [y/N]: y

✓ Deleted authentication rule: BYOD_Certificate_Auth

Rule Evaluation Order

Authentication rules are processed top-to-bottom until the first match:

Policy Set: Corp WIFI
├── #0: BYOD_Certificate_Auth     → Mobile devices (Vault certs)
├── #1: EAP_TLS_Certificate_Auth  → Workstations (AD certs)
├── #2: iPSK_Auth                 → IoT devices (iPSK)
└── #3: Default                   → Catch-all (internal endpoints)

Best Practices

Most specific rules first - Put certificate-based auth at rank 0
Generic rules later - Username/password should have higher rank
Always have a default - Last rule should catch unmatched devices
Set proper failure actions - Use REJECT to prevent bypass attacks
Never use CONTINUE on Default - Last rule should REJECT if not found

Example: Wrong vs Right Order

❌ Wrong (generic rule shadows specific):

#0: Default                   (any device)        ← Matches everything!
#1: BYOD_Certificate_Auth     (Vault certs)       ← Never reached

✓ Right (specific before generic):

#0: BYOD_Certificate_Auth     (Vault certs)       ← Matches BYOD first
#1: EAP_TLS_Certificate_Auth  (AD certs)          ← Matches workstations
#2: Default                   (any device)        ← Catches remaining

Security Best Practices

Failure Action Configuration

Scenario Recommended Action Rationale

Scenario	Recommended Action	Rationale
Certificate auth fails	`REJECT`	Invalid cert = deny access
User not found in AD	`REJECT`	Unknown user = deny access
AD server unavailable	`CONTINUE`	Failover to next identity source
Default rule not found	`REJECT`	Unknown device = deny access

Certificate auth fails

REJECT

Invalid cert = deny access

User not found in AD

REJECT

Unknown user = deny access

AD server unavailable

CONTINUE

Failover to next identity source

Default rule not found

REJECT

Unknown device = deny access

Secure Default Rule

❌ Insecure (allows unauthenticated access):

# BAD: Default rule continues if user not found
netapi ise add-auth-rule "Corp WIFI" "Default" "Internal Endpoints" \
  --if-not-found CONTINUE  # DANGER!

✓ Secure (denies unknown devices):

# GOOD: Default rule rejects if user not found
netapi ise add-auth-rule "Corp WIFI" "Default" "Internal Endpoints" \
  --if-not-found REJECT

Use Cases

BYOD Certificate Authentication (Vault PKI)

# Add BYOD cert auth rule (highest priority)
netapi ise add-auth-rule "Corp WIFI" \
  "BYOD_Certificate_Auth" \
  "BYOD_Cert_Profile" \
  --rank 0

This authenticates mobile devices with certificates issued by HashiCorp Vault PKI for BYOD enrollment workflows.

AD Workstation Certificate Authentication

# Add AD cert auth rule
netapi ise add-auth-rule "Corp WIFI" \
  "EAP_TLS_Certificate_Auth" \
  "AD_Cert_Profile" \
  --rank 1

Authenticates domain-joined workstations using certificates from AD Certificate Services.

iPSK Authentication

# Add iPSK auth rule
netapi ise add-auth-rule "Corp WIFI" \
  "iPSK_Auth" \
  "iPSKManager" \
  --rank 2

Authenticates IoT devices using identity-based pre-shared keys.

Username/Password (AD) Authentication

# Add AD username/password auth
netapi ise add-auth-rule "Guest WIFI" \
  "AD_User_Auth" \
  "INSIDE-AD" \
  --dict "Network Access" \
  --attr "EapAuthentication" \
  --value "PEAP" \
  --rank 0

Authenticates users with PEAP (username/password) against Active Directory.

Fixing Insecure Default Rule

# Step 1: Delete insecure default
netapi ise delete-auth-rule "Corp WIFI" "Default" --force

# Step 2: Recreate with secure settings
netapi ise add-auth-rule "Corp WIFI" "Default" "Internal Endpoints" \
  --if-not-found REJECT \
  --rank 10

Troubleshooting

Authentication Failing

Check rule order - Is the correct rule matching first?
```
netapi ise get-auth-rules "Corp WIFI"
```

Verify identity source exists - Check certificate profile or AD join point

# List certificate profiles
netapi ise get-cert-profiles

# List AD join points
netapi ise get-ad

Review authentication logs - See detailed failure reason
```
netapi ise mnt auth-logs 98:bb:1e:1f:a7:13
```
Check live session - View authentication details
```
netapi ise mnt session 98:bb:1e:1f:a7:13
```

Certificate Profile Not Found

If you see Identity source not found:

Create certificate profile first

netapi ise create-cert-profile "BYOD_Cert_Profile" \
  --desc "Certificate authentication for BYOD mobile devices (Vault PKI)"

Verify profile exists

netapi ise get-cert-profiles | grep BYOD

Then create authentication rule

Wrong Identity Source Used

If wrong identity source is being used:

Check rule conditions - Verify condition matches your device
Check rule order - Higher-ranked rule might be matching first
Test condition - Ensure device meets rule criteria

Related Commands

authz-rules - Authorization rule management
policy-sets - Policy set configuration
cert-profiles - Certificate profile management
ad - Active Directory join points
mnt auth-logs - Authentication logs
mnt session - View active sessions

API Reference

ISE ERS API endpoints used:

Endpoint Purpose

Endpoint	Purpose
`GET /ers/config/networkaccesspolicyset`	List policy sets (get policy set ID)
`GET /ers/config/networkaccesspolicyset/{id}`	Get authentication rules in policy set
`POST /ers/config/networkaccesspolicyset/{policyId}/authenticationpolicy`	Create authentication rule
`DELETE /ers/config/networkaccesspolicyset/{policyId}/authenticationpolicy/{ruleId}`	Delete authentication rule

GET /ers/config/networkaccesspolicyset

List policy sets (get policy set ID)

GET /ers/config/networkaccesspolicyset/{id}

Get authentication rules in policy set

POST /ers/config/networkaccesspolicyset/{policyId}/authenticationpolicy

Create authentication rule

DELETE /ers/config/networkaccesspolicyset/{policyId}/authenticationpolicy/{ruleId}

Delete authentication rule

SDK Methods:

# List rules
client.network_access_authentication_rules.get_all(policy_id=policy_id)

# Create rule
client.network_access_authentication_rules.create(
    policy_id=policy_id,
    rule={...},
    identity_source_name=identity_source,
    if_auth_fail=if_auth_fail,
    if_user_not_found=if_user_not_found,
    if_process_fail=if_process_fail
)

# Delete rule
client.network_access_authentication_rules.delete_network_access_authentication_rule_by_id(
    policy_id=policy_id,
    id=rule_id
)