Conditions

Overview

Conditions define matching criteria for policy rules. They can be simple attribute matches or complex AND/OR logic trees.

Library URL

/api/v1/policy/network-access/condition

Dictionary URL

/api/v1/policy/network-access/dictionaries

Condition Types

Type	Description	Children
ConditionAttributes	Single attribute match	No
ConditionReference	Reference library condition	No
ConditionAndBlock	All children must match	Yes
ConditionOrBlock	Any child must match	Yes
ConditionNotBlock	Negate child condition	Yes (1)

Type

Description

Children

ConditionAttributes

Single attribute match

ConditionReference

Reference library condition

ConditionAndBlock

All children must match

Yes

ConditionOrBlock

Any child must match

Yes

ConditionNotBlock

Negate child condition

Yes (1)

List Library Conditions

dsource d000 dev/network
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  "https://${ISE_PAN_IP}/api/v1/policy/network-access/condition" \
  -H "Accept: application/json" | jq '.response[] | {name, id, conditionType}'

Create Library Condition

Simple Condition

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_PAN_IP}/api/v1/policy/network-access/condition" \
  -H "Content-Type: application/json" \
  -X POST -d '{
    "name": "EAP-TLS Authentication",
    "description": "Matches EAP-TLS authentication method",
    "conditionType": "ConditionAttributes",
    "attributeName": "Network Access:EapAuthentication",
    "operator": "equals",
    "attributeValue": "EAP-TLS"
  }'

Compound Condition

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_PAN_IP}/api/v1/policy/network-access/condition" \
  -H "Content-Type: application/json" \
  -X POST -d '{
    "name": "Linux EAP-TLS Workstation",
    "description": "Linux workstation with EAP-TLS auth",
    "conditionType": "ConditionAndBlock",
    "children": [
      {
        "conditionType": "ConditionAttributes",
        "attributeName": "IdentityGroup:Name",
        "operator": "equals",
        "attributeValue": "Endpoint Identity Groups:Linux-Workstations"
      },
      {
        "conditionType": "ConditionAttributes",
        "attributeName": "Network Access:EapAuthentication",
        "operator": "equals",
        "attributeValue": "EAP-TLS"
      }
    ]
  }'

Operators

Operator Description Example

Operator	Description	Example
equals	Exact match	`"operator": "equals"`
notEquals	Not equal	`"operator": "notEquals"`
contains	String contains	`"operator": "contains"`
startsWith	String starts with	`"operator": "startsWith"`
endsWith	String ends with	`"operator": "endsWith"`
matches	Regex match	`"operator": "matches"`
greaterThan	Numeric >	`"operator": "greaterThan"`
lessThan	Numeric <	`"operator": "lessThan"`
ipEquals	IP address match	`"operator": "ipEquals"`
ipNotEquals	IP not match	`"operator": "ipNotEquals"`
ipGreaterThan	IP range >	`"operator": "ipGreaterThan"`
ipLessThan	IP range <	`"operator": "ipLessThan"`

equals

Exact match

"operator": "equals"

notEquals

Not equal

"operator": "notEquals"

contains

String contains

"operator": "contains"

startsWith

String starts with

"operator": "startsWith"

endsWith

String ends with

"operator": "endsWith"

matches

Regex match

"operator": "matches"

greaterThan

Numeric >

"operator": "greaterThan"

lessThan

Numeric <

"operator": "lessThan"

ipEquals

IP address match

"operator": "ipEquals"

ipNotEquals

IP not match

"operator": "ipNotEquals"

ipGreaterThan

IP range >

"operator": "ipGreaterThan"

ipLessThan

IP range <

"operator": "ipLessThan"

Dictionary Attributes

List Dictionaries

curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_PAN_IP}/api/v1/policy/network-access/dictionaries" \
  -H "Accept: application/json" | jq '.response[].name'

List Dictionary Attributes

DICT_NAME="Radius"
curl -sk -u "${ISE_AUTH}" \
  "https://${ISE_PAN_IP}/api/v1/policy/network-access/dictionaries/${DICT_NAME}/attribute" \
  -H "Accept: application/json" | jq '.response[] | {name, dataType}'

Common Dictionaries

Dictionary Common Attributes Example Values

Dictionary	Common Attributes	Example Values
Radius	Service-Type, NAS-Port-Type, Calling-Station-Id	`Call-Check`, `Ethernet`, MAC address
Network Access	EapAuthentication, AuthenticationMethod, Protocol	`EAP-TLS`, `mab`, `RADIUS`
IdentityGroup	Name	`Endpoint Identity Groups:Linux-Workstations`
Device	Device Type, Location, Name	`All Device Types#Wired`, `All Locations#Building1`
CERTIFICATE	Subject - Common Name, Issuer - Common Name	`host.example.com`, `DOMUS-ISSUING-CA`
AD	ExternalGroups, AD-User-Resolved	`domain.com/Users/Group`, `True`

Radius

Service-Type, NAS-Port-Type, Calling-Station-Id

Call-Check, Ethernet, MAC address

Network Access

EapAuthentication, AuthenticationMethod, Protocol

EAP-TLS, mab, RADIUS

IdentityGroup

Name

Endpoint Identity Groups:Linux-Workstations

Device

Device Type, Location, Name

All Device Types#Wired, All Locations#Building1

CERTIFICATE

Subject - Common Name, Issuer - Common Name

host.example.com, DOMUS-ISSUING-CA

ExternalGroups, AD-User-Resolved

domain.com/Users/Group, True

Using Conditions in Rules

Reference library condition:

{
  "rule": {
    "name": "My Rule",
    "condition": {
      "conditionType": "ConditionReference",
      "id": "condition-uuid-from-library"
    }
  }
}

Inline condition:

{
  "rule": {
    "name": "My Rule",
    "condition": {
      "conditionType": "ConditionAttributes",
      "attributeName": "Network Access:EapAuthentication",
      "operator": "equals",
      "attributeValue": "EAP-TLS"
    }
  }
}