10-02-2018 05:20 AM
Hi board,
short question regarding authorization policy design:
In the past I assigned one authorization profile per authorization rule
Out of coincidence I saw that multiple authorization profiles may be assigned to one authorization rule.
I think this is cool, because someone could build a "modular" authorization toolbox:
E.g.
If I want to assign a WLAN client to VLAN 101 with QoS profile gold, the following profiles are used:
- WLAN_QoSprofile_Gold
- VLAN ID 100
However I have no idea how this works and the pro and cons regarding this approach. Examples:
Anybody knows that? Do you know a Cisco doc describing multiple profiles in one rule? How do you design your rules?
Thanks in advance!
Best regards
Johannes
Solved! Go to Solution.
10-03-2018 10:52 PM
I tried it in ISE 2.1. First of all there is no possibility to order the authorization profiles in the permissions.
What obviously happens:
I guess I'll start with this approach now to build a more modular ruleset. Furthermore it's more fault tolerant. For example if there is the policy to reauthenticate all dot1x clients every 2 hours, there is one profile for this purpose. The reauthentication timer is not hidden in multiple profiles. So there is a single source of truth :)
10-02-2018 05:32 AM
I'm trying to think of an example where I would apply two auth z policies with the same common task, and I can't.
My thought would be any time you need to apply like common tasks with different results, that would be an additional rule in your policy set.
My assumption would be if you tried to overlap, ISE would apply your result in order (top - down) but without testing, I couldn't be certain. Maybe on read-only Friday I will test and get back to you.
10-02-2018 05:37 AM
@anthonylofreso wrote:
I'm trying to think of an example where I would apply two auth z policies with the same common task, and I can't.
Me neither - but I want to understand how the system reacts if this happens (e.g. due to a misconfiguration). I can test this as well, but I was hoping for a proper documentation :D
However, I'm with your assumption - I also guess the last one wins.
I'm curious: Are you using multiple AuthZ profiles in a single rule or not?
10-02-2018 05:44 AM
I am not. We primarily use AuthZ profiles to apply DACLs to interfaces.
To be honest, I hadn't noticed the +/- in the permissions column for multiple Auth Z policies. We've applied multiple common tasks (VLAN + DACL) but only via a single profile since they are check boxes.
I'd be curious to know what others use this functionality for
10-03-2018 10:52 PM
I tried it in ISE 2.1. First of all there is no possibility to order the authorization profiles in the permissions.
What obviously happens:
I guess I'll start with this approach now to build a more modular ruleset. Furthermore it's more fault tolerant. For example if there is the policy to reauthenticate all dot1x clients every 2 hours, there is one profile for this purpose. The reauthentication timer is not hidden in multiple profiles. So there is a single source of truth :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide