https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799839#M542688 <P>Well, that makes sense...</P> <P>Thank you for all the inputs...</P> Tue, 12 Feb 2019 07:47:17 GMT dgaikwad 2019-02-12T07:47:17Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3797516#M542681 <P><FONT face="helvetica" size="2">Hello Experts,</FONT><BR /><FONT face="helvetica" size="2">I am running </FONT>ISE<FONT face="helvetica" size="2"> 2.4 with patch 4.</FONT><BR /><FONT face="helvetica" size="2">In the authorization policy is it possible to push two authorization profiles?</FONT><BR /><FONT face="helvetica" size="2">If yes, then which ones will take the precedence?</FONT><BR /><FONT face="helvetica" size="2">Or is this something that the design of ISE does not allow?</FONT></P> <P><FONT face="helvetica" size="2">Any pointers or documentation to achieve this?</FONT></P> Mon, 11 Mar 2019 08:55:13 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3797516#M542681 dgaikwad 2019-03-11T08:55:13Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3797560#M542682 No you can't combine two profiles in one rule. With the profile you can<BR />combination of ands and ors nested<BR /> Fri, 08 Feb 2019 09:42:20 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3797560#M542682 Mohammed al Baqari 2019-02-08T09:42:20Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3797925#M542683 I think you might get more helpful advise if you were to try and explain why you think you need two authorization results. To clarify the terms, I'm assuming authorization results because that's what ise would send back to the switch/wlc. As indicated in the previous post, it's not possible, but there are usually ways to accomplish most rule requirements. Fri, 08 Feb 2019 16:24:59 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3797925#M542683 Damien Miller 2019-02-08T16:24:59Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3798538#M542684 <P>If the matched authz policy rule has multiple profiles. They are combined in such way that distinct attributes will all apply and the first values of the same attributes will apply.</P> <P>For example, the following rule has three authz profiles:</P> <OL> <LI>dACL PermitALL -- with the attribute for DACL -- PERMIT_ALL</LI> <LI>vlan 100 -- with the common task VLAN set to 100</LI> <LI>vlan 101 -- with the common task VLAN set to 101</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2019-02-09 at 3.36.43 PM.png" style="width: 793px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/29771i65C22E7CFDE563A7/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2019-02-09 at 3.36.43 PM.png" alt="Screen Shot 2019-02-09 at 3.36.43 PM.png" /></span></P> <P>As the DACL is unique and VLAN assignments are duplicated, the resulting permissions would have DACL PERMIT_ALL and the first VLAN assignment, which set to 100.</P> Sat, 09 Feb 2019 23:40:17 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3798538#M542684 hslai 2019-02-09T23:40:17Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799058#M542685 <P>I was thinking about a use case, where the WLC has ACL has a limitation of 64 lines in single ACL. So, what if I create multiple dACL and push them via authorization profiles, thus increasing the overall capacity.</P> Mon, 11 Feb 2019 10:27:44 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799058#M542685 dgaikwad 2019-02-11T10:27:44Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799142#M542686 Hi,<BR />I know this is not directly related to your question but I don't think you can push DACL to WLC, you can create ACL locally on the WLC and call it by its name in the Authorization profile via "airspace ACL" option. Mon, 11 Feb 2019 12:17:55 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799142#M542686 bern81 2019-02-11T12:17:55Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799260#M542687 <P><A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/529249" target="_blank">bern81</A>&nbsp;is correct that WLC not using DACL. If needing many ACEs, then you should consider another solution (e.g. ASA) to perform the enforcement.</P> Mon, 11 Feb 2019 14:59:20 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799260#M542687 hslai 2019-02-11T14:59:20Z https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799839#M542688 <P>Well, that makes sense...</P> <P>Thank you for all the inputs...</P> Tue, 12 Feb 2019 07:47:17 GMT https://community.cisco.com/t5/network-access-control/push-two-authorization-profiles-in-one-authorization-policy/m-p/3799839#M542688 dgaikwad 2019-02-12T07:47:17Z