Authentication Rules

Overview

Authentication rules determine which authentication protocol (EAP-TLS, PEAP, MAB, etc.) to use based on request attributes.

Base URL

/api/v1/policy/network-access/policy-set//authentication

Methods

GET, POST, PUT, DELETE

Key Fields

name, condition, identitySourceName, rank

Setup

dsource d000 dev/network
ISE_HOST="${ISE_PAN_IP}"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
POLICY_ID="your-policy-set-id"

List Auth Rules

# List all authentication rules in a policy set
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authentication" \
  -H "Accept: application/json" | jq '.response[] | {name, rank, identitySourceName}'

Get Auth Rule

RULE_ID="rule-uuid"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authentication/${RULE_ID}" \
  -H "Accept: application/json"

Create Auth Rule

EAP-TLS Rule

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authentication" \
  -H "Content-Type: application/json" \
  -X POST -d '{
    "rule": {
      "name": "EAP-TLS Authentication",
      "rank": 1,
      "state": "enabled",
      "condition": {
        "conditionType": "ConditionAttributes",
        "attributeName": "EapAuthentication",
        "operator": "equals",
        "attributeValue": "EAP-TLS"
      }
    },
    "identitySourceName": "Internal Endpoints",
    "ifAuthFail": "REJECT",
    "ifProcessFail": "DROP",
    "ifUserNotFound": "REJECT"
  }'

MAB Rule

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authentication" \
  -H "Content-Type: application/json" \
  -X POST -d '{
    "rule": {
      "name": "MAB Authentication",
      "rank": 2,
      "state": "enabled",
      "condition": {
        "conditionType": "ConditionAttributes",
        "attributeName": "Radius:Service-Type",
        "operator": "equals",
        "attributeValue": "Call-Check"
      }
    },
    "identitySourceName": "Internal Endpoints",
    "ifAuthFail": "CONTINUE",
    "ifProcessFail": "DROP",
    "ifUserNotFound": "CONTINUE"
  }'

Update Auth Rule

RULE_ID="rule-uuid"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authentication/${RULE_ID}" \
  -H "Content-Type: application/json" \
  -X PUT -d '{
    "rule": {
      "id": "'${RULE_ID}'",
      "name": "EAP-TLS Authentication (Updated)",
      "rank": 1,
      "state": "enabled"
    },
    "identitySourceName": "Internal Endpoints"
  }'

Delete Auth Rule

RULE_ID="rule-uuid"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authentication/${RULE_ID}" \
  -X DELETE

Identity Sources

Common identity sources for authentication rules:

Source	Use Case
Internal Endpoints	MAB lookup against endpoint database
Internal Users	Local user authentication
All_AD_Join_Points	Active Directory authentication
Certificate Authentication Profile	EAP-TLS certificate validation

Source

Use Case

Internal Endpoints

MAB lookup against endpoint database

Internal Users

Local user authentication

All_AD_Join_Points

Active Directory authentication

Certificate Authentication Profile

EAP-TLS certificate validation

Failure Actions

Action	Description
REJECT	Reject authentication, send Access-Reject
DROP	Silently drop, no response
CONTINUE	Try next rule in sequence

Action

Description

REJECT

Reject authentication, send Access-Reject

DROP

Silently drop, no response

CONTINUE

Try next rule in sequence