Showing results for 
Search instead for 
Did you mean: 

Calling logical profiles in ISE 2.2

Level 5
Level 5

Hi Experts,
I am using ISE with patch 16

I have created a few profiling policies to segregate laptops, and then called them in logical profile as corporate laptops.
Using this logical profile I want to run a few posture policies only for laptops.
But, now I am stuck, as I am not able to call this logical profile inside my posture policy.
I can see that there is something called as NAC_Profiler, is that similar to endpoint groups or logical profiles?
Cisco ISE - NAC_Profiler.png
If calling logical profiles is not possible then, is it possible to move the endpoint groups that are created by profiling policies to under some other parent groups, such as Registered endpoints, as I can see that is populating in posture policy here:
Cisco ISE - Registred endpoints.png
Is this something which is limited by the design or there is any workaround that I should be looking at?

4 Replies 4

VIP Alumni
VIP Alumni
You can call the logical profiled group under 'other conditions'. For example it would look like this:
Rule 1: If ANY and Windows All and Endpoints:LogicalProfile EQUALS Cameras then <result>

I am under the other conditions in posture polices, but the endpoints is not listed here...
Cisco ISE - Other Conditions.png
As here the endpoints is not visible under it, where as its listed under authorization policies.
Now the question is, is this something that is supported in this version of ISE?

Go to Policy->Policy Elements->Conditions->Dictionary Simple Condition. Add new Condition that looks like this:
Name = <name>
Attribute = Endpoints:LogicalProfile
Operator = EQUALS
Value = <logical group>
Then go back to posture policies->Other conditions (select)->Existing Simple condition-><your created logical group condition>

ISE 2.2 does not support those matching conditions in Posture or Client Provisioning Policies. The ability to match on these conditions was not added until ISE 2.3+ as per the Release Notes.