Authorization Rules

Overview

Authorization rules determine what access profile to assign based on identity and other attributes. Rules are evaluated in order (by rank).

Base URL

/api/v1/policy/network-access/policy-set//authorization

Methods

GET, POST, PUT, DELETE

Key Fields

name, condition, profile, rank, securityGroup

Setup

dsource d000 dev/network
ISE_HOST="${ISE_PAN_IP}"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
POLICY_ID="your-policy-set-id"

List Authz Rules

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization" \
  -H "Accept: application/json" | jq '.response[] | {name, rank, profile}'

Get Authz Rule

RULE_ID="rule-uuid"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization/${RULE_ID}" \
  -H "Accept: application/json"

Create Authz Rule

EAP-TLS Full Access

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization" \
  -H "Content-Type: application/json" \
  -X POST -d '{
    "rule": {
      "name": "EAP-TLS Full Access",
      "rank": 1,
      "state": "enabled",
      "condition": {
        "conditionType": "ConditionAndBlock",
        "children": [
          {
            "conditionType": "ConditionAttributes",
            "attributeName": "IdentityGroup:Name",
            "operator": "equals",
            "attributeValue": "Endpoint Identity Groups:Linux-Workstations"
          },
          {
            "conditionType": "ConditionAttributes",
            "attributeName": "Network Access:EapAuthentication",
            "operator": "equals",
            "attributeValue": "EAP-TLS"
          }
        ]
      }
    },
    "profile": ["Linux-EAP-TLS-Access"],
    "securityGroup": "Linux_Workstations"
  }'

MAB Onboarding

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization" \
  -H "Content-Type: application/json" \
  -X POST -d '{
    "rule": {
      "name": "MAB Onboarding",
      "rank": 10,
      "state": "enabled",
      "condition": {
        "conditionType": "ConditionAttributes",
        "attributeName": "Radius:Service-Type",
        "operator": "equals",
        "attributeValue": "Call-Check"
      }
    },
    "profile": ["MAB-Onboarding"]
  }'

Default Deny

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization" \
  -H "Content-Type: application/json" \
  -X POST -d '{
    "rule": {
      "name": "Default Deny",
      "rank": 99,
      "state": "enabled",
      "default": true
    },
    "profile": ["DenyAccess"]
  }'

Update Authz Rule

RULE_ID="rule-uuid"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization/${RULE_ID}" \
  -H "Content-Type: application/json" \
  -X PUT -d '{
    "rule": {
      "id": "'${RULE_ID}'",
      "name": "EAP-TLS Full Access (Updated)",
      "rank": 1,
      "state": "enabled"
    },
    "profile": ["Linux-EAP-TLS-Access-v2"]
  }'

Delete Authz Rule

RULE_ID="rule-uuid"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization/${RULE_ID}" \
  -X DELETE

Reorder Rules

Rules are evaluated by rank. Lower rank = higher priority.

# Move rule to rank 1 (top priority)
RULE_ID="rule-uuid"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_HOST}/api/v1/policy/network-access/policy-set/${POLICY_ID}/authorization/${RULE_ID}" \
  -H "Content-Type: application/json" \
  -X PUT -d '{
    "rule": {
      "id": "'${RULE_ID}'",
      "rank": 1
    }
  }'

Common Condition Attributes

Attribute Example Value

IdentityGroup:Name

Endpoint Identity Groups:Linux-Workstations

Network Access:EapAuthentication

EAP-TLS, PEAP, EAP-FAST

Radius:Service-Type

Call-Check (MAB), Framed (802.1X)

CERTIFICATE:Subject - Common Name

*@example.com

AD:ExternalGroups

example.com/Users/Domain Users

See Also