Header Only - DO NOT REMOVE - Extreme Networks

Creating groups in NAC with both 'or' and 'and' conditions together

  • 27 November 2019
  • 1 reply

Userlevel 5




I’m currently swapping another vendors NAC for Extreme and need to replicate the configuration.


There is a NAC rule that is configured as the following:

((Certificate Dictionary:Issuer contains xxxadminCA01 Or (Certificate Dictionary:Issuer contains xxxadminCA02 Or Certificate Dictionary:Issuer contains IssuingCA-01)) 


(RADIUS-IETF:Called-Station-ID ends with user.wifi And Certificate Dictionary:Subject Alternative Name - DNS ends with xxadmin.ad.customer.co.uk))


So individually I can configure the ‘Or’ and ‘And’ compound arguments via the ‘User Groups’ section shown in the image below. I can set the ‘Match Mode’ to ‘Any’ which is equivalent to ‘or’ for one group and ‘All’ being equivalent to ‘And’ for the other group.

This would though create two separate user groups, one with the ‘or’ and one with the ‘And’


The issue I have is creating the rule that joins them both together with an ‘And’ to match the full statement above.


See image below. With only a single instance of the condition ‘User Group’, how do I achieve the ‘And’ to for the two User Groups?



Many thanks in advance.


1 reply

Userlevel 5

Think I’ve just figured a way to do this. Not quite as elegant but only thing I can think of.

Basically I create three separate user groups.

I take one of the ‘or’ statements, create  a user group and select the match mode ‘All;. The add that two ‘And’ statements.

I do the same for each of the ‘or’ statements.

Then just create three separate rules that include each of the three user groups!

That should equal the same thing I believe.

 Not sure if there is a better way to do it, but will go with that for now.