This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Creating groups in NAC with both 'or' and 'and' conditions together

Creating groups in NAC with both 'or' and 'and' conditions together

Anonymous
Not applicable

‎11-27-2019 05:35 PM

 

Hi,

 

I’m currently swapping another vendors NAC for Extreme and need to replicate the configuration.

 

There is a NAC rule that is configured as the following:
 

((Certificate Dictionary:Issuer contains xxxadminCA01 Or (Certificate Dictionary:Issuer contains xxxadminCA02 Or Certificate Dictionary:Issuer contains IssuingCA-01)) 

And 

(RADIUS-IETF:Called-Station-ID ends with user.wifi And Certificate Dictionary:Subject Alternative Name - DNS ends with xxadmin.ad.customer.co.uk))

 

So individually I can configure the ‘Or’ and ‘And’ compound arguments via the ‘User Groups’ section shown in the image below. I can set the ‘Match Mode’ to ‘Any’ which is equivalent to ‘or’ for one group and ‘All’ being equivalent to ‘And’ for the other group.

This would though create two separate user groups, one with the ‘or’ and one with the ‘And’

2716ff28a29f40fba758bb2505be622a_2c72b437-dccc-4c01-875f-baf1e1e72d44.png

 

The issue I have is creating the rule that joins them both together with an ‘And’ to match the full statement above.

 

See image below. With only a single instance of the condition ‘User Group’, how do I achieve the ‘And’ to for the two User Groups?

 

2716ff28a29f40fba758bb2505be622a_a0cc03b2-410f-4dcc-a825-caab51f5d21c.png

 

Many thanks in advance.

 

0 Kudos
3 REPLIES 3

Miguel-Angel_RO
Valued Contributor II

‎12-31-2020 03:53 PM

Hi Martin,

I would do that the way you did it.

Mig

0 Kudos

Anonymous
Not applicable

‎12-31-2020 09:25 AM

After re-reading my response I thought I would re-write to make it a little clearer:

 

So if I take the original and / or statement, which effectively looks like this:

(A or B or C) and (D and E)

What I am saying is that I could achieve the same thing by creating the following groups:

 

Group 1 / Match All (equivalent to ‘And’)

A+D+E

Group 2 / Match All (equivalent to ‘And’)

B+D+E

Group 3 / Match All (equivalent to ‘And’)

C+D+E

 

I now create three separate rules that that use each of the groups. Think that will effectively achieve the same thing as the one statement does at the beginning of this thread.

Not sure if there is a better way of doing it, but that’s all I can come up with at the moment.

0 Kudos

Anonymous
Not applicable

‎11-27-2019 11:32 PM

Think I’ve just figured a way to do this. Not quite as elegant but only thing I can think of.

Basically I create three separate user groups.

I take one of the ‘or’ statements, create  a user group and select the match mode ‘All;. The add that two ‘And’ statements.

I do the same for each of the ‘or’ statements.

Then just create three separate rules that include each of the three user groups!

That should equal the same thing I believe.

 Not sure if there is a better way to do it, but will go with that for now. 

0 Kudos
GTM-P2G8KFN