https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577668#M573639 <P>Hi,</P><P>This is not recommended because it will give you headaches <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>Technically it's possible. My guess is that your two profiles will be combined, except the case when the same attribute is defined in both profiles.</P><P>&nbsp;</P><P>BR,</P><P>Octavian</P> Thu, 24 Mar 2022 09:30:10 GMT Octavian Szolga 2022-03-24T09:30:10Z https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577555#M573635 <P><FONT face="helvetica">Hi Experts,</FONT></P><P><FONT face="helvetica">Running ISE 3.1 patch 1.</FONT></P><P><FONT face="helvetica">Is it possible to have multiple authorization profiles in results with a single authorization policy?</FONT><BR /><FONT face="helvetica">And if multiple profiles are added, which profile will take precedence?</FONT></P> Thu, 24 Mar 2022 05:55:55 GMT https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577555#M573635 dgaikwad 2022-03-24T05:55:55Z https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577668#M573639 <P>Hi,</P><P>This is not recommended because it will give you headaches <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>Technically it's possible. My guess is that your two profiles will be combined, except the case when the same attribute is defined in both profiles.</P><P>&nbsp;</P><P>BR,</P><P>Octavian</P> Thu, 24 Mar 2022 09:30:10 GMT https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577668#M573639 Octavian Szolga 2022-03-24T09:30:10Z https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577734#M573643 <P><FONT face="helvetica">Thanks for the confirmation, I was thinking on the same lines.</FONT><BR /><FONT face="helvetica">Thus they can be used, but the effects are not going to be good if combined.</FONT><BR /><BR /><FONT face="helvetica">Thus there could be two authz profiles with two different DACLs and they will combined and applied, right?</FONT></P> Thu, 24 Mar 2022 11:16:07 GMT https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577734#M573643 dgaikwad 2022-03-24T11:16:07Z https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577741#M573646 <P>Hi,</P><P>&nbsp;</P><P>As far as I know, dACLs will not be combined.</P><P>&nbsp;</P><P>BR,</P><P>Octavian</P> Thu, 24 Mar 2022 11:24:18 GMT https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577741#M573646 Octavian Szolga 2022-03-24T11:24:18Z https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577837#M573655 <P><SPAN>And if multiple profiles are added, which profile will take precedence?</SPAN></P> <P><SPAN>-If multiple authz profiles are assigned as result they will be combined and assigned to the session.&nbsp; You can see this via radius live log for the test session.&nbsp; In the live log pay attention to Authorization Result which is found under 'Overview'. to see which multiple authz profiles are assigned to session.&nbsp; Then at the bottom under 'Result' you will see the applied attributes to the session which will show you that the two are combined and applied.&nbsp; Should there be identical attributes configured in both I am pretty sure that the first match will take and be assigned.&nbsp; Lastly, this may assist:&nbsp;</SPAN><SPAN><A href="https://community.cisco.com/t5/security-documents/ise-authentication-and-authorization-policy-reference/ta-p/3850472" target="_blank">ISE Authentication and Authorization Policy Reference - Cisco Community</A></SPAN></P> Thu, 24 Mar 2022 13:49:20 GMT https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4577837#M573655 Mike.Cifelli 2022-03-24T13:49:20Z https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4755531#M579240 <P>Hi mike,</P><P>what happens if I apply two different auth profiles at the same auth rule each of one refers to a specific device profile?&nbsp;</P><P>Would ise send just the correct device profile?</P><P>Regards</P><P>Marco</P> Mon, 16 Jan 2023 17:28:27 GMT https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4755531#M579240 marco.merlo 2023-01-16T17:28:27Z https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4755554#M579241 <P>I use it quite often this way as it gives you a great flexibility *and* visibility if you do it the correct way. For example, I have AuthZ profiles that *only* include the assigned VLAN, these have the prefix "VLan_", the AuthZ profiles that include a DACL have the prefix "DACL_" and so on and so on. I didn't count them but I think that in the end the total amount of AuthZ profiles is reduced and the visibility in the AuthZ policy is greatly improved as I directly see what I send to the NAD.</P> Mon, 16 Jan 2023 17:57:22 GMT https://community.cisco.com/t5/network-access-control/authorization-policies-using-multiple-authorization-profiles/m-p/4755554#M579241 Karsten Iwen 2023-01-16T17:57:22Z