Policy Sets
Overview
Policy Sets are top-level containers for authentication and authorization rules. Each policy set has conditions that determine when it matches.
Base URL |
|
Methods |
GET, POST, PUT, DELETE |
Key Fields |
name, condition, state, rank |
Setup
# Load credentials
dsource d000 dev/network
# OpenAPI configuration
ISE_HOST="${ISE_PAN_IP}"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
BASE_URL="https://${ISE_HOST}/api/v1/policy/network-access"List Policy Sets
netapi
# List all policy sets (netapi)
netapi ise get-policy-setscurl
# List all policy sets (curl)
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/policy-set" \
-H "Accept: application/json" | jq '.response[] | {name, id, rank, state}'Response Format
{
"response": [
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"name": "Wired_802.1X_Closed",
"rank": 1,
"state": "enabled",
"condition": {
"conditionType": "ConditionAttributes",
"attributeName": "RADIUS.NAS-Port-Type",
"attributeValue": "Ethernet"
},
"serviceName": "Default Network Access",
"hitCounts": 1523
}
],
"version": "1.0.0"
}Get Policy Set
By Name
# Get policy set ID by name
POLICY_NAME="Wired_802.1X_Closed"
POLICY_SET_ID=$(curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/policy-set" \
-H "Accept: application/json" | jq -r ".response[] | select(.name==\"${POLICY_NAME}\") | .id")
echo "Policy Set ID: ${POLICY_SET_ID}"By ID (curl)
# Get single policy set by ID (curl)
POLICY_SET_ID="a1b2c3d4-e5f6-7890-abcd-ef1234567890"
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/policy-set/${POLICY_SET_ID}" \
-H "Accept: application/json" | jq '.response'Policy Set Rules
Authentication Rules
netapi
# List authentication rules (netapi)
netapi ise get-auth-rules "Wired_802.1X_Closed"curl
# List authentication rules for a policy set (curl)
POLICY_SET_ID="a1b2c3d4-e5f6-7890-abcd-ef1234567890"
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/policy-set/${POLICY_SET_ID}/authentication" \
-H "Accept: application/json" | jq '.response[] | {name, rank, state, identitySourceName}'Authorization Rules
netapi
# List authorization rules (netapi)
netapi ise get-authz-rules "Wired_802.1X_Closed"curl
# List authorization rules for a policy set (curl)
POLICY_SET_ID="a1b2c3d4-e5f6-7890-abcd-ef1234567890"
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/policy-set/${POLICY_SET_ID}/authorization" \
-H "Accept: application/json" | jq '.response[] | {name, rank, state, profile: .profile[0]}'Create Authorization Rule
# Create authorization rule (curl)
POLICY_SET_ID="a1b2c3d4-e5f6-7890-abcd-ef1234567890"
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/policy-set/${POLICY_SET_ID}/authorization" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
-d '{
"rule": {
"name": "Linux_EAP-TLS_Access",
"rank": 1,
"state": "enabled",
"condition": {
"conditionType": "ConditionAttributes",
"attributeName": "Cisco:cisco-av-pair",
"attributeValue": "auth-type=dot1x",
"dictionaryName": "Cisco"
}
},
"profile": ["Linux-EAP-TLS-Profile"]
}'Policy Set Conditions
Condition Types
| Type | Description | Example |
|---|---|---|
ConditionReference |
Reference existing condition |
|
ConditionAttributes |
Inline attribute match |
|
ConditionAndBlock |
AND multiple conditions |
|
ConditionOrBlock |
OR multiple conditions |
|
List Conditions
# List policy conditions (library conditions)
curl -sk -u "${ISE_AUTH}" \
"https://${ISE_HOST}/api/v1/policy/network-access/condition" \
-H "Accept: application/json" | jq '.response[] | {name, conditionType}'