03-23-2022 10:55 PM
Hi Experts,
Running ISE 3.1 patch 1.
Is it possible to have multiple authorization profiles in results with a single authorization policy?
And if multiple profiles are added, which profile will take precedence?
03-24-2022 02:30 AM
Hi,
This is not recommended because it will give you headaches
Technically it's possible. My guess is that your two profiles will be combined, except the case when the same attribute is defined in both profiles.
BR,
Octavian
03-24-2022 04:16 AM
Thanks for the confirmation, I was thinking on the same lines.
Thus they can be used, but the effects are not going to be good if combined.
Thus there could be two authz profiles with two different DACLs and they will combined and applied, right?
03-24-2022 04:24 AM
Hi,
As far as I know, dACLs will not be combined.
BR,
Octavian
03-24-2022 06:49 AM
And if multiple profiles are added, which profile will take precedence?
-If multiple authz profiles are assigned as result they will be combined and assigned to the session. You can see this via radius live log for the test session. In the live log pay attention to Authorization Result which is found under 'Overview'. to see which multiple authz profiles are assigned to session. Then at the bottom under 'Result' you will see the applied attributes to the session which will show you that the two are combined and applied. Should there be identical attributes configured in both I am pretty sure that the first match will take and be assigned. Lastly, this may assist: ISE Authentication and Authorization Policy Reference - Cisco Community
01-16-2023 09:28 AM
Hi mike,
what happens if I apply two different auth profiles at the same auth rule each of one refers to a specific device profile?
Would ise send just the correct device profile?
Regards
Marco
01-16-2023 09:57 AM
I use it quite often this way as it gives you a great flexibility *and* visibility if you do it the correct way. For example, I have AuthZ profiles that *only* include the assigned VLAN, these have the prefix "VLan_", the AuthZ profiles that include a DACL have the prefix "DACL_" and so on and so on. I didn't count them but I think that in the end the total amount of AuthZ profiles is reduced and the visibility in the AuthZ policy is greatly improved as I directly see what I send to the NAD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide