topic ISE Selecting wrong authorization profile in Network Access Control https://community.cisco.com/t5/network-access-control/ise-selecting-wrong-authorization-profile/m-p/1844962#M227029 <P>Hi,</P><P></P><P>We are testing ISE in a wired environment.</P><P>We have set up two authorization profiles called AD_Machine and AD_User as recommned in Trustsec 2.0 doc.&nbsp; The AD_Machine policy has a condition set on it to look at the AD External Group AD Machines, likewise the AD_User has a condition to look at AD External Group AD Users.&nbsp; At the end of the authorization policy list we have the default policy, this is set to WEBAUTH authorization profile.</P><P>What we see is machine auth is granted by the WEBAUTH policy as this is catch all.&nbsp; If I disable WEBAUTH it picks AD_Machine, also if I enable WEBAUTH and remove the AD External Group AD Machines condition it also selects the correct policy.</P><P>There seems to be some kind of timing issue when authorizing against an external DB.</P><P></P><P>Any ideas?</P><P></P><P>Thanks.</P><P>Gary</P> Mon, 11 Mar 2019 01:48:46 GMT g-hopkinson 2019-03-11T01:48:46Z ISE Selecting wrong authorization profile https://community.cisco.com/t5/network-access-control/ise-selecting-wrong-authorization-profile/m-p/1844962#M227029 <P>Hi,</P><P></P><P>We are testing ISE in a wired environment.</P><P>We have set up two authorization profiles called AD_Machine and AD_User as recommned in Trustsec 2.0 doc.&nbsp; The AD_Machine policy has a condition set on it to look at the AD External Group AD Machines, likewise the AD_User has a condition to look at AD External Group AD Users.&nbsp; At the end of the authorization policy list we have the default policy, this is set to WEBAUTH authorization profile.</P><P>What we see is machine auth is granted by the WEBAUTH policy as this is catch all.&nbsp; If I disable WEBAUTH it picks AD_Machine, also if I enable WEBAUTH and remove the AD External Group AD Machines condition it also selects the correct policy.</P><P>There seems to be some kind of timing issue when authorizing against an external DB.</P><P></P><P>Any ideas?</P><P></P><P>Thanks.</P><P>Gary</P> Mon, 11 Mar 2019 01:48:46 GMT https://community.cisco.com/t5/network-access-control/ise-selecting-wrong-authorization-profile/m-p/1844962#M227029 g-hopkinson 2019-03-11T01:48:46Z