cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1786
Views
10
Helpful
6
Replies

Authorization policies - Using multiple authorization profiles

dgaikwad
Level 5
Level 5

Hi Experts,

Running ISE 3.1 patch 1.

Is it possible to have multiple authorization profiles in results with a single authorization policy?
And if multiple profiles are added, which profile will take precedence?

6 Replies 6

Octavian Szolga
Level 4
Level 4

Hi,

This is not recommended because it will give you headaches  

Technically it's possible. My guess is that your two profiles will be combined, except the case when the same attribute is defined in both profiles.

 

BR,

Octavian

Thanks for the confirmation, I was thinking on the same lines.
Thus they can be used, but the effects are not going to be good if combined.

Thus there could be two authz profiles with two different DACLs and they will combined and applied, right?

Octavian Szolga
Level 4
Level 4

Hi,

 

As far as I know, dACLs will not be combined.

 

BR,

Octavian

Mike.Cifelli
VIP Alumni
VIP Alumni

And if multiple profiles are added, which profile will take precedence?

-If multiple authz profiles are assigned as result they will be combined and assigned to the session.  You can see this via radius live log for the test session.  In the live log pay attention to Authorization Result which is found under 'Overview'. to see which multiple authz profiles are assigned to session.  Then at the bottom under 'Result' you will see the applied attributes to the session which will show you that the two are combined and applied.  Should there be identical attributes configured in both I am pretty sure that the first match will take and be assigned.  Lastly, this may assist: ISE Authentication and Authorization Policy Reference - Cisco Community

marco.merlo
Level 1
Level 1

Hi mike,

what happens if I apply two different auth profiles at the same auth rule each of one refers to a specific device profile? 

Would ise send just the correct device profile?

Regards

Marco

I use it quite often this way as it gives you a great flexibility *and* visibility if you do it the correct way. For example, I have AuthZ profiles that *only* include the assigned VLAN, these have the prefix "VLan_", the AuthZ profiles that include a DACL have the prefix "DACL_" and so on and so on. I didn't count them but I think that in the end the total amount of AuthZ profiles is reduced and the visibility in the AuthZ policy is greatly improved as I directly see what I send to the NAD.