Authorization Rules

Overview

Authorization rules determine what network access is granted after authentication succeeds. Rules are evaluated top-to-bottom - the first matching rule’s authorization profile is applied.

Commands

netapi ise get-authz-rules <POLICY_SET_NAME>
netapi ise add-authz-rule <POLICY_SET_NAME> <RULE_NAME> <PROFILE_NAME> [OPTIONS]
netapi ise delete-authz-rule <POLICY_SET_NAME> <RULE_NAME> [OPTIONS]

List Authorization Rules

netapi ise get-authz-rules "Wired Dot1X Closed"

Shows all authorization rules in a policy set with:

  • Rank - Evaluation order (0 = first)

  • Rule Name - Descriptive name

  • Profile(s) - Authorization profile applied on match

  • SGT - Security Group Tag (if used)

  • State - enabled/disabled

Sample output:

╭──────────────────────────────────────────────────────────────────────────────╮
│ Authorization Rules                                                          │
╰───────────────────────────── Wired Dot1X Closed ─────────────────────────────╯
    #    Rule Name                   Profile(s)                 SGT    State
    0    Linux_Admin_EAP-TLS         Linux_EAPTLS_Admins        -      enabled
    1    Linux_EAPTLS_Test           Linux_EAPTLS_Permit        -      enabled
    2    Linux_Posture_Compliant     Linux_Posture_Compliant    -      enabled
    5    Default                     DenyAccess                 -      enabled

Create Authorization Rule

netapi ise add-authz-rule "Wired Dot1X Closed" \
  "Linux_Admin_EAP-TLS" \
  "Linux_EAPTLS_Admins" \
  --dict "INSIDE-AD" \
  --attr "ExternalGroups" \
  --value "inside.domusdigitalis.dev/Groups/GRP-Linux-Admin-Workstations" \
  --operator "contains" \
  --rank 0

Options

Option Description Default

--dict

Dictionary name (e.g., "INSIDE-AD", "Network Access")

"Network Access"

--attr

Attribute name (e.g., "EapAuthentication", "ExternalGroups")

"EapAuthentication"

--value

Attribute value to match

"EAP-TLS"

--operator

Comparison operator: equals, contains, startsWith, endsWith, notEquals

"equals"

--rank

Rule evaluation order (0 = first, higher = later)

0

Prerequisites for AD Group Conditions

When using AD group conditions (INSIDE-AD.ExternalGroups):

  1. Create AD group in Active Directory

    New-ADGroup -Name "GRP-Linux-Admin-Workstations" -GroupScope Global

  2. Add computers to AD group

    Add-ADGroupMember -Identity "GRP-Linux-Admin-Workstations" -Members "modestus-razer$"

  3. Add group to ISE join point (REQUIRED!)

    netapi ise add-ad-groups "INSIDE-AD" "GRP-Linux-Admin-Workstations"

  4. Verify group in ISE

    netapi ise get-ad-groups INSIDE-AD | grep "GRP-Linux-Admin-Workstations"

  5. Create authorization rule (as shown above)

Step 3 is critical. If the AD group isn’t added to ISE first, the rule creation will fail with: 
Error: Value for attribute is not a permitted option

Delete Authorization Rule

# Interactive confirmation
netapi ise delete-authz-rule "Wired Dot1X Closed" "Linux_Research_AD_Machine"

# Force delete (skip confirmation)
netapi ise delete-authz-rule "Wired Dot1X Closed" "Linux_Research_AD_Machine" --force

Deletes an authorization rule from a policy set.

This operation is permanent and cannot be undone. The rule is immediately removed from the policy set.

Options

Option Description

--force, -f

Skip confirmation prompt (use in scripts)

Sample Output

╭──────────────────────────────────────────────────────────────────────────────╮
│ Delete Authorization Rule                                                    │
╰───────────────────────────── Wired Dot1X Closed ─────────────────────────────╯
  Rule Name          Linux_Research_AD_Machine
  Profile            Linux_EAPTLS_Permit
  Rule ID            80ee76ab-4378-4222-8dd3-51900a9c40a0

✓ Deleted authorization rule: Linux_Research_AD_Machine

Rule Evaluation Order

Authorization rules are processed top-to-bottom until the first match:

Policy Set: Wired Dot1X Closed
├── #0: Linux_Admin_EAP-TLS       → Most specific (AD group check)
├── #1: Linux_EAPTLS_Test         → Specific (EAP-TLS)
├── #2: Linux_Posture_Compliant   → General (any posture compliant)
└── #5: Default                   → Catch-all (deny)

Best Practices

  1. Most specific rules first - Put rules with strict conditions at rank 0

  2. Generic rules later - Broader conditions should have higher rank numbers

  3. Always have a default - Last rule should be a catch-all for logging/deny

  4. Document rule purpose - Use descriptive names that explain intent

Example: Wrong vs Right Order

Wrong (generic rule shadows specific):

#0: EAP-TLS_AllUsers     (any EAP-TLS)          ← Matches everything!
#1: EAP-TLS_Admins       (AD group = Admins)    ← Never reached

Right (specific before generic):

#0: EAP-TLS_Admins       (AD group = Admins)    ← Matches admins first
#1: EAP-TLS_AllUsers     (any EAP-TLS)          ← Matches remaining users

Post-Change Verification

After creating, modifying, or deleting authorization rules, active sessions don’t automatically update. You must force reauthentication:

# Method 1: CoA reauthentication
netapi ise mnt coa 98:bb:1e:1f:a7:13

# Method 2: Manual reconnect
sudo nmcli connection down Wired-802.1X
sudo nmcli connection up Wired-802.1X

# Wait for reauth
sleep 10

# Verify new assignment
netapi ise dc session 98:bb:1e:1f:a7:13
ip addr show | grep inet

Troubleshooting

Rule Not Matching

  1. Check rule order - Is a higher-ranked rule matching first?

    netapi ise get-authz-rules "Wired Dot1X Closed"

  2. Verify AD group in ISE - For AD group conditions

    netapi ise get-ad-groups INSIDE-AD | grep "GRP-"

  3. Check computer membership - Verify computer is in AD group

    Get-ADGroupMember -Identity "GRP-Linux-Admin-Workstations"

  4. Review session details - See which rule matched

    netapi ise dc session 98:bb:1e:1f:a7:13

Wrong VLAN Assigned

If endpoint gets wrong VLAN:

  1. Check which rule matched - Review session details

  2. Verify authorization profile - Ensure profile has correct VLAN

    netapi ise get-authz-profile Linux_EAPTLS_Admins

  3. Check rule order - Generic rule might be matching first

  4. Force reauthentication - Changes don’t auto-apply

Use Cases

Admin Workstations (Highest Priority)

netapi ise add-authz-rule "Wired Dot1X Closed" \
  "Linux_Admin_EAP-TLS" \
  "Linux_EAPTLS_Admins" \
  --dict "INSIDE-AD" \
  --attr "ExternalGroups" \
  --value "inside.domusdigitalis.dev/Groups/GRP-Linux-Admin-Workstations" \
  --operator "contains" \
  --rank 0

Research Workstations (Medium Priority)

netapi ise add-authz-rule "Wired Dot1X Closed" \
  "Linux_Research_EAP-TLS" \
  "Linux_Research_Profile" \
  --dict "INSIDE-AD" \
  --attr "ExternalGroups" \
  --value "inside.domusdigitalis.dev/Groups/GRP-Research-Linux-Workstations" \
  --operator "contains" \
  --rank 1

Standard Users (Lower Priority)

netapi ise add-authz-rule "Wired Dot1X Closed" \
  "Linux_Standard_EAP-TLS" \
  "Linux_Standard_Profile" \
  --dict "Network Access" \
  --attr "EapAuthentication" \
  --value "EAP-TLS" \
  --operator "equals" \
  --rank 2

Cleanup Unused Rules

# Remove test rule
netapi ise delete-authz-rule "Wired Dot1X Closed" "Linux_EAPTLS_Test" --force

# Verify deletion
netapi ise get-authz-rules "Wired Dot1X Closed"

Related Commands

API Reference

ISE ERS API endpoints used:

Endpoint Purpose

GET /ers/config/networkaccesspolicyset

List policy sets (get policy set ID)

GET /ers/config/networkaccesspolicyset/{id}

Get authorization rules in policy set

POST /ers/config/networkaccesspolicyset/{policyId}/authorizationpolicy

Create authorization rule

DELETE /ers/config/networkaccesspolicyset/{policyId}/authorizationpolicy/{ruleId}

Delete authorization rule

SDK Methods:

# List rules
client.network_access_authorization_rules.get_all(policy_id=policy_id)

# Create rule
client.network_access_authorization_rules.create(
    policy_id=policy_id,
    rule={...},
    profile=[profile_name]
)

# Delete rule
client.network_access_authorization_rules.delete_network_access_authorization_rule_by_id(
    policy_id=policy_id,
    id=rule_id
)