https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4424480#M568128 <P>This is your Policy Authorization Rule from your picture:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/123774i99C2E09B7E13C084/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>First condition matches on your SSID containing "MyInternet"</P> <P>Second condition matches any ISE internal users in the group GuestType_MyInternet.</P> <P>From your explanation, it sounds like you are adding guest users' Username and Password via REST API to the ISE internal identity group GuestType_MyInternet. This allows them to authenticate to SSID MyInternet so they can connect securely with PEAP rather than an open, unencrypted SSID. I figured this because even though you did not show your authentication policy,&nbsp; you named your Authorization Result "PEAP/PermitAccess".</P> <P>To find out exactly Why it is working, simply look at the ISE LiveLogs and click on the <span class="lia-unicode-emoji" title=":page_facing_up:">📄</span> details icon next to a Passed Authentication to see all of the details that ISE went through to authenticate and authorize that endpoint including the user, identity store, protocols, authorization result, etc.</P> Sun, 27 Jun 2021 22:16:59 GMT thomas 2021-06-27T22:16:59Z https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4423370#M568088 <P>I have a customer solution that has an authorization profile to allow users who register their details access to the internet with their personal devices.</P><P>The attached screenshots show the policy works but I can't understand how.</P><P>there are no users in the identity group used in the profile.</P><P>The users registers via an internal website that communicates with ISE via REST API.</P> Thu, 24 Jun 2021 16:20:49 GMT https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4423370#M568088 russell.sage 2021-06-24T16:20:49Z https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4423493#M568097 <P>In this case internal users creates on the internal website and during the time of authentication which will push to ise using API. its like an automated process.</P> Thu, 24 Jun 2021 22:11:36 GMT https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4423493#M568097 Nit in Net 2021-06-24T22:11:36Z https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4424480#M568128 <P>This is your Policy Authorization Rule from your picture:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/123774i99C2E09B7E13C084/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>First condition matches on your SSID containing "MyInternet"</P> <P>Second condition matches any ISE internal users in the group GuestType_MyInternet.</P> <P>From your explanation, it sounds like you are adding guest users' Username and Password via REST API to the ISE internal identity group GuestType_MyInternet. This allows them to authenticate to SSID MyInternet so they can connect securely with PEAP rather than an open, unencrypted SSID. I figured this because even though you did not show your authentication policy,&nbsp; you named your Authorization Result "PEAP/PermitAccess".</P> <P>To find out exactly Why it is working, simply look at the ISE LiveLogs and click on the <span class="lia-unicode-emoji" title=":page_facing_up:">📄</span> details icon next to a Passed Authentication to see all of the details that ISE went through to authenticate and authorize that endpoint including the user, identity store, protocols, authorization result, etc.</P> Sun, 27 Jun 2021 22:16:59 GMT https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4424480#M568128 thomas 2021-06-27T22:16:59Z https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4424650#M568146 <P>Thomas</P><P>Thanks for the reply. I did look at the logs. It states it matched against the conditions in the screenshot. The point of my post was that when you look in the internal identity&nbsp;<SPAN>GuestType_MyInternet there are no entries as seen in the second screenshot. So how is it matching?</SPAN></P> Mon, 28 Jun 2021 07:35:49 GMT https://community.cisco.com/t5/network-access-control/understanding-authorization-profiles/m-p/4424650#M568146 russell.sage 2021-06-28T07:35:49Z