Conditions & Dictionaries

Overview

Conditions are the building blocks of ISE policies. They evaluate attributes from various dictionaries (RADIUS, Posture, Device, AD, etc.).

Commands

Command Description

Command	Description
`get-conditions`	List all conditions
`get-condition`	Get specific condition
`create-condition`	Create generic condition
`create-posture-condition`	Create posture-specific condition
`delete-condition`	Delete a condition
`get-dictionaries`	List available dictionaries
`get-dictionary`	Get dictionary attributes

get-conditions

List all conditions

get-condition

Get specific condition

create-condition

Create generic condition

create-posture-condition

Create posture-specific condition

delete-condition

Delete a condition

get-dictionaries

List available dictionaries

get-dictionary

Get dictionary attributes

List Conditions

# All conditions
netapi ise get-conditions

# Filter by dictionary
netapi ise get-conditions --dict Posture
netapi ise get-conditions --dict RADIUS
netapi ise get-conditions --dict Device

List Dictionaries

# Show all available dictionaries
netapi ise get-dictionaries

# Get attributes for specific dictionary
netapi ise get-dictionary Posture
netapi ise get-dictionary RADIUS
netapi ise get-dictionary "Network Access"

Create Posture Condition

# Dry run first
netapi ise create-posture-condition "Posture_Compliant" \
    --attr PostureStatus --value Compliant --dry-run

# Create condition
netapi ise create-posture-condition "Posture_Compliant" \
    --attr PostureStatus --value Compliant

# Non-compliant condition
netapi ise create-posture-condition "Posture_NonCompliant" \
    --attr PostureStatus --value NonCompliant

# Unknown posture
netapi ise create-posture-condition "Posture_Unknown" \
    --attr PostureStatus --value Unknown

Create Generic Condition

# RADIUS NAS-Port-Type condition
netapi ise create-condition "Wireless_802.11" \
    --dict RADIUS --attr NAS-Port-Type --value "Wireless-IEEE-802.11"

# Device type condition
netapi ise create-condition "Is_Windows" \
    --dict Device --attr DeviceType --value "Windows"

# Negated condition
netapi ise create-condition "Not_Guest_VLAN" \
    --dict RADIUS --attr NAS-Port-Id --value "guest" --negate

Delete Condition

netapi ise delete-condition "Old_Unused_Condition"

Common Dictionaries

Dictionary	Use Case	Example Attributes
Posture	Endpoint compliance	PostureStatus, PostureExpiry
RADIUS	RADIUS attributes	NAS-Port-Type, Called-Station-ID
Network Access	EAP/Auth methods	EapAuthentication, AuthenticationMethod
Device	Endpoint profiling	DeviceType, OperatingSystem
Session	Active session	Session-Timeout, PostureStatus
AD	Active Directory	ExternalGroups, memberOf

Dictionary

Use Case

Example Attributes

Posture

Endpoint compliance

PostureStatus, PostureExpiry

RADIUS

RADIUS attributes

NAS-Port-Type, Called-Station-ID

Network Access

EAP/Auth methods

EapAuthentication, AuthenticationMethod

Device

Endpoint profiling

DeviceType, OperatingSystem

Session

Active session

Session-Timeout, PostureStatus

Active Directory

ExternalGroups, memberOf

Use Cases

Posture Policy Setup

#!/bin/bash
# Create full posture condition set

# Compliant - full access
netapi ise create-posture-condition "Posture_Compliant" \
    --attr PostureStatus --value Compliant \
    --descr "Endpoint passed posture assessment"

# Non-compliant - remediation
netapi ise create-posture-condition "Posture_NonCompliant" \
    --attr PostureStatus --value NonCompliant \
    --descr "Endpoint failed posture assessment"

# Unknown - limited access
netapi ise create-posture-condition "Posture_Unknown" \
    --attr PostureStatus --value Unknown \
    --descr "Posture status not yet determined"

Discover Available Attributes

#!/bin/bash
# List all posture-related attributes
netapi ise get-dictionary Posture

Related Commands

policy-sets - Use conditions in policies
authz-profiles - Apply based on conditions