Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2195
Views
10
Helpful
5
Replies

Cisco ISE - Creating complex policy set rules

Go to solution
Marc0
Level 1
Level 1

‎01-12-2022 05:07 AM

Hi All

 

I have ISE 2.7 and trying to create policy set rules in line with 802.1x rollout which is fairly straight forward.

 

However, im trying to find out if ISE will allow the creation of a single authorization policy rule with multiple conditions rules but mapping them to multiple results profiles?

 

Does anyone know if this is possible and If so, are there instructions on on doing this?

 

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marc0
Level 1
Level 1
In response to Marcelo Morais

‎01-12-2022 08:43 AM

Hi Marcelo

 

Yes thats it, so can create but curious to understand how the condition rules link to the correct result profile when have multiple selected. Ive uploaded an example that we are trying to build 

View solution in original post

Preview file
41 KB
0 Helpful
5 Replies 5

Go to solution
Marcelo Morais
VIP
VIP

‎01-12-2022 07:06 AM

Hi @Marc0 ,

 something like this:

MultipleResults.png

 

Hope this helps !!!

0 Helpful

Go to solution
Marc0
Level 1
Level 1
In response to Marcelo Morais

‎01-12-2022 08:43 AM

Hi Marcelo

 

Yes thats it, so can create but curious to understand how the condition rules link to the correct result profile when have multiple selected. Ive uploaded an example that we are trying to build 

Preview file
41 KB
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Marc0

‎01-12-2022 03:47 PM

See a related discussion here - Authorization permissions in one or multiple authorization profiles 

When you 'stack' AuthZ Profiles, they are all applied to the session so you want to ensure there are no overlapping attributes (dACL, dVLAN, etc) as there is no way to specify the order in which they are applied.

For your example, both AuthZ Profiles would be applied to any session that matches any of your OR conditions.

I've personally never stacked AuthZ Profiles on any customer deployments as I feel they add more complexity rather than reducing it.

Go to solution
Marc0
Level 1
Level 1
In response to Greg Gibbs

‎01-13-2022 12:28 AM

Thanks Greg for the response. 

So if the view is not to stack the AuthZ profiles, is there a limitation on the number of AuthZ profiles that can be held in one policy set rule?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Marc0

‎01-13-2022 01:55 PM

As per the Scalability Guide... "It is not recommended to have more than 600 authorization rules in a single policy set"

If you have a 1:1 ratio of AuthZ Profiles to AuthZ Policy rules, the recommended max AuthZ Profiles per Policy Set would also be 600.

Customers Also Viewed These Support Documents