https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530323#M572171 <P>Hi Marcelo</P><P>&nbsp;</P><P>Yes thats it, so can create but curious to understand how the condition rules link to the correct result profile when have multiple selected. Ive uploaded an example that we are trying to build&nbsp;</P> Wed, 12 Jan 2022 16:43:00 GMT Marc0 2022-01-12T16:43:00Z https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530186#M572163 <P>Hi All</P><P>&nbsp;</P><P>I have ISE 2.7 and trying to create policy set rules in line with 802.1x rollout which is fairly straight forward.</P><P>&nbsp;</P><P>However, im trying to find out if ISE will allow the creation of a single authorization policy rule with multiple conditions rules but mapping them to multiple results profiles?</P><P>&nbsp;</P><P>Does anyone know if this is possible and&nbsp;If so, are there instructions on on doing this?</P><P>&nbsp;</P><P>Thanks in advance</P> Wed, 12 Jan 2022 13:07:28 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530186#M572163 Marc0 2022-01-12T13:07:28Z https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530255#M572166 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/493111">@Marc0</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;something like this:</P><P class="lia-align-justify"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MultipleResults.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/141009i0A03080453E205F0/image-size/large?v=v2&amp;px=999" role="button" title="MultipleResults.png" alt="MultipleResults.png" /></span></P><P>&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Wed, 12 Jan 2022 15:06:09 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530255#M572166 Marcelo Morais 2022-01-12T15:06:09Z https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530323#M572171 <P>Hi Marcelo</P><P>&nbsp;</P><P>Yes thats it, so can create but curious to understand how the condition rules link to the correct result profile when have multiple selected. Ive uploaded an example that we are trying to build&nbsp;</P> Wed, 12 Jan 2022 16:43:00 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530323#M572171 Marc0 2022-01-12T16:43:00Z https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530537#M572181 <P>See a related discussion here - <A href="https://community.cisco.com/t5/network-access-control/authorization-permissions-in-one-or-multiple-authorization/m-p/3717336" target="_blank" rel="noopener">Authorization permissions in one or multiple authorization profiles</A>&nbsp;</P> <P>When you 'stack' AuthZ Profiles, they are all applied to the session so you want to ensure there are no overlapping attributes (dACL, dVLAN, etc) as there is no way to specify the order in which they are applied.</P> <P>For your example, both AuthZ Profiles would be applied to any session that matches any of your OR conditions.</P> <P>I've personally never stacked AuthZ Profiles on any customer deployments as I feel they add more complexity rather than reducing it.</P> Wed, 12 Jan 2022 23:47:52 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530537#M572181 Greg Gibbs 2022-01-12T23:47:52Z https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530653#M572183 <P>Thanks Greg for the response.&nbsp;</P><P>So if the view is not to stack the AuthZ profiles, is there a limitation on the number of AuthZ profiles that can be held in one policy set rule?</P> Thu, 13 Jan 2022 08:28:18 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4530653#M572183 Marc0 2022-01-13T08:28:18Z https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4531152#M572196 <P>As per the <A href="https://cs.co/ise-scale" target="_blank" rel="noopener">Scalability Guide</A>... "It is not recommended to have more than 600 authorization rules in a single policy set"</P> <P>If you have a 1:1 ratio of AuthZ Profiles to AuthZ Policy rules, the recommended max AuthZ Profiles per Policy Set would also be 600.</P> Thu, 13 Jan 2022 21:55:42 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-creating-complex-policy-set-rules/m-p/4531152#M572196 Greg Gibbs 2022-01-13T21:55:42Z