https://community.cisco.com/t5/network-access-control/transitioning-through-profiles-profile-stacking/m-p/4452001#M569149 <P>Team,</P><P>&nbsp;</P><P>I am using:</P><P>&nbsp;</P><P>Version 3.0.0.458</P><P>Installed Patches 2</P><P>Product Identifier (PID) ISE-VM-K9</P><P>Version Identifier (VID) V01</P><P>ADE-OS Version 3.0.8.091</P><P>&nbsp;</P><P>I have a question about “stacking” profiles. By stacking, I mean, I have setup ISE to NMAP and profile an factory new endpoint to an initially trusted endpoint profile and assign it to an identity group as a <U>candidate</U> for further processing.</P><P>&nbsp;</P><P>The initial profile works great, the NMAP performs its scan, meeting a profiler policy condition through customized NMAPExtension and the system places the endpoint in a selected Identity Group called “candidate”.</P><P>&nbsp;</P><P>Life would be so easy if I left the endpoint in this state, but I have this access requirement to first profile the endpoint and use a graduated approach from a candidate (member of this identity group) to a higher set of authorizations including VLAN/dACL assignment.</P><P>&nbsp;</P><P>My initial approach was to build a policy set outside of the initial working set that bought the “layer0-endpoint” to “layer1-candidate” and then once in the candidate stage, authorized it to a different authorization profile, turning it into “layer2-release”. Obviously, I am performing configurations to the endpoint when they transition through the phases – including an eventual DOT1X implementation in the end.</P><P>&nbsp;</P><P>Goes from out of the factory sealed box and added to the network -&nbsp;layer0-endpoint -&gt; layer1-candidate -&gt;&nbsp;layer2-release</P><P>&nbsp;</P><P>I’ve tried a few things, yet nothing is working. At this point, I’m unsure it is even possible to first profile an endpoint into a candidate and then into release – or my profile stacking concept.</P><P>&nbsp;</P><P>Any points or artlicles which may help please…</P><P>&nbsp;</P><P>Thanks,</P><P>Chris</P> Thu, 19 Aug 2021 17:34:55 GMT chris-lawrence 2021-08-19T17:34:55Z https://community.cisco.com/t5/network-access-control/transitioning-through-profiles-profile-stacking/m-p/4452001#M569149 <P>Team,</P><P>&nbsp;</P><P>I am using:</P><P>&nbsp;</P><P>Version 3.0.0.458</P><P>Installed Patches 2</P><P>Product Identifier (PID) ISE-VM-K9</P><P>Version Identifier (VID) V01</P><P>ADE-OS Version 3.0.8.091</P><P>&nbsp;</P><P>I have a question about “stacking” profiles. By stacking, I mean, I have setup ISE to NMAP and profile an factory new endpoint to an initially trusted endpoint profile and assign it to an identity group as a <U>candidate</U> for further processing.</P><P>&nbsp;</P><P>The initial profile works great, the NMAP performs its scan, meeting a profiler policy condition through customized NMAPExtension and the system places the endpoint in a selected Identity Group called “candidate”.</P><P>&nbsp;</P><P>Life would be so easy if I left the endpoint in this state, but I have this access requirement to first profile the endpoint and use a graduated approach from a candidate (member of this identity group) to a higher set of authorizations including VLAN/dACL assignment.</P><P>&nbsp;</P><P>My initial approach was to build a policy set outside of the initial working set that bought the “layer0-endpoint” to “layer1-candidate” and then once in the candidate stage, authorized it to a different authorization profile, turning it into “layer2-release”. Obviously, I am performing configurations to the endpoint when they transition through the phases – including an eventual DOT1X implementation in the end.</P><P>&nbsp;</P><P>Goes from out of the factory sealed box and added to the network -&nbsp;layer0-endpoint -&gt; layer1-candidate -&gt;&nbsp;layer2-release</P><P>&nbsp;</P><P>I’ve tried a few things, yet nothing is working. At this point, I’m unsure it is even possible to first profile an endpoint into a candidate and then into release – or my profile stacking concept.</P><P>&nbsp;</P><P>Any points or artlicles which may help please…</P><P>&nbsp;</P><P>Thanks,</P><P>Chris</P> Thu, 19 Aug 2021 17:34:55 GMT https://community.cisco.com/t5/network-access-control/transitioning-through-profiles-profile-stacking/m-p/4452001#M569149 chris-lawrence 2021-08-19T17:34:55Z https://community.cisco.com/t5/network-access-control/transitioning-through-profiles-profile-stacking/m-p/4452637#M569187 <P>Team,</P><P>&nbsp;</P><P>So my question is not related to stacking profiles (I guess considered "reprofiling")... I suppose I want to create a new <U>policy set</U> to apply to the&nbsp;<SPAN>“layer1-candidate” after it has been given an&nbsp;Identity Group Assignment to my group - and then once you become a member of that group, you get updated permissions (new VLAN/dACL) given the endpoint modified access.</SPAN></P><P>&nbsp;</P><P><SPAN>I just do see how this is done with the Policy Set Conditions Studio. I just don't see a dictionary which allowes me to choose some of the ISE&nbsp;parameters like the grouping the endpoint&nbsp;belongs to or its currently assigned policy.</SPAN></P> Fri, 20 Aug 2021 17:40:54 GMT https://community.cisco.com/t5/network-access-control/transitioning-through-profiles-profile-stacking/m-p/4452637#M569187 chris-lawrence 2021-08-20T17:40:54Z https://community.cisco.com/t5/network-access-control/transitioning-through-profiles-profile-stacking/m-p/4452961#M569196 <P>Chris: You are correct that endpoint groups or attributes are not currently available as conditions to select a policy set. Thus, you would need to use the same policy set or key off others.</P> Sun, 22 Aug 2021 02:44:23 GMT https://community.cisco.com/t5/network-access-control/transitioning-through-profiles-profile-stacking/m-p/4452961#M569196 hslai 2021-08-22T02:44:23Z