Policy Sets

Overview

Policy sets define authentication and authorization behavior for network access. Commands for viewing and modifying ISE policies.

These commands use the ISE OpenAPI (not ERS API) for policy set management.

Commands

Command Description

Command	Description
`get-policy-sets`	List all policy sets
`get-policy-set`	Get specific policy set details
`get-auth-rules`	List authentication rules
`get-authz-rules`	List authorization rules
`add-auth-rule`	Add authentication rule
`delete-auth-rule`	Delete authentication rule
`add-authz-rule`	Add authorization rule
`delete-authz-rule`	Delete authorization rule
`audit`	Full audit of all policies

get-policy-sets

List all policy sets

get-policy-set

Get specific policy set details

get-auth-rules

List authentication rules

get-authz-rules

List authorization rules

add-auth-rule

Add authentication rule

delete-auth-rule

Delete authentication rule

add-authz-rule

Add authorization rule

delete-authz-rule

Delete authorization rule

audit

Full audit of all policies

List Policy Sets

netapi ise get-policy-sets
netapi ise get-policy-sets --size 50 --page 2

Options

--size, -s INTEGER    Results per page (default: 100)
--page, -p INTEGER    Page number (default: 1)

Get Policy Set Details

# By name
netapi ise get-policy-set "Corp WIFI"

# By UUID
netapi ise get-policy-set 9557d91c-591b-4d8d-9898-657a62f28d76

List Authentication Rules

netapi ise get-auth-rules "Corp WIFI"

List Authorization Rules

netapi ise get-authz-rules "Corp WIFI"

Add Authorization Rule

# Dry run first (recommended)
netapi ise add-authz-rule "Corp WIFI" "EAP_TLS_Trusted" "Domus_Secure_Profile" --dry-run

# Add EAP-TLS authorization rule
netapi ise add-authz-rule "Corp WIFI" "EAP_TLS_Trusted" "Domus_Secure_Profile"

# Add rule with custom condition
netapi ise add-authz-rule "Corp WIFI" "AD_Users" "PermitAccess" \
    --dict "AD" --attr "ExternalGroups" --value "domain.com/Users" --operator contains

# Add at specific position
netapi ise add-authz-rule "Corp WIFI" "New_Rule" "Profile" --rank 0  # Top
netapi ise add-authz-rule "Corp WIFI" "New_Rule" "Profile" --rank 5  # Position 5

Add Authentication Rule

# Add EAP-TLS authentication rule
netapi ise add-auth-rule "Corp WIFI" "Cert_Auth" "AD_Cert_Profile" --dry-run
netapi ise add-auth-rule "Corp WIFI" "Cert_Auth" "AD_Cert_Profile"

Manage Policy Set Conditions

Add Condition (Safe)

Safely add a new condition to a policy set using OR logic. Preserves existing conditions.

# Add Domus-Secure SSID to Corp WIFI (keeps existing HomeRF)
netapi ise add-policy-set-condition "Corp WIFI" "Domus-Secure"

# Add another SSID
netapi ise add-policy-set-condition "Corp WIFI" "CorpNet-5G"

# Use different attribute/operator
netapi ise add-policy-set-condition "IoT WIFI" "IoT_" --operator startsWith

# Custom RADIUS attribute
netapi ise add-policy-set-condition "Guest WIFI" "guest" --attribute NAS-Port-Id

Replace Conditions (Destructive)

This replaces ALL existing conditions on the policy set!

# Replace all conditions with a single SSID match
netapi ise replace-policy-set-condition "Corp WIFI" "CorpNet-Secure"

Full Policy Audit

# Display audit to terminal
netapi ise audit

# Save to file
netapi ise audit --output ise-policy-audit.txt

The audit command loops through ALL policy sets and displays:

Policy set name and conditions
Authentication rules with identity sources
Authorization rules with profiles

Use Cases

Brownfield Assessment

#!/bin/bash
# Document existing ISE policies
DATE=$(date +%Y-%m-%d)
netapi ise audit --output "ise-audit-${DATE}.txt"
echo "Audit saved to ise-audit-${DATE}.txt"

Add EAP-TLS Rule to All Wireless Policy Sets

#!/bin/bash
for ps in "Corp WIFI" "Guest WIFI" "IoT WIFI"; do
  echo "Adding EAP-TLS rule to: $ps"
  netapi ise add-authz-rule "$ps" "EAP_TLS_Cert_Auth" "Secure_Profile" --dry-run
done

Related Commands

auth-rules - Authentication rule management
authz-rules - Authorization rule management
authz-profiles - Authorization profiles
conditions - Policy conditions