Solved: Re: Cisco ISE two or more Authentication Policy Result

Americo Massotti · ‎03-16-2021

Hello guys.

I would ask you the logic of have two o more Authentication Policy Result for a policy set's rule.

I mean, sometimes I saw on different Cisco ISE policy sets some policy set rules that has two or more result for the same conditions.

So, in which way ISE apply one or the other? for my understanding the condition are the same.

Thanks a lot.

Americo

hslai · ‎03-16-2021

If more than one authorization profiles in the same result cell, then the attributes would be combined but only the first value will apply if the attribute may have only one. For example,

authzProfile-1: VLAN=Employees, DACL=permitALL

authzProfile-2: VLAN=ACCESS, Reauthentication with Timer=1800

SecureGroup=Employees

The combined shall be: VLAN=Employees, DACL=permitALL, Reauthentication with Timer=1800, SecureGroup=Employees

View solution in original post

Marcelo Morais · ‎03-16-2021

Hi @Americo Massotti

please take a look at: ISE Admin Guide - Policy Set.

Remember that:

"... Policy sets are configured hierarchically, where the rule on the top level of the policy set, which can be viewed from the Policy Set table, applies to the entire set and is matched before the rules for the rest of the policies and exceptions. Thereafter, rules of the set are applied in this order:

Authentication policy rules
Local policy exceptions
Global policy exceptions
Authorization policy rules..."

Hope this helps !!!

hslai · ‎03-16-2021

If more than one authorization profiles in the same result cell, then the attributes would be combined but only the first value will apply if the attribute may have only one. For example,

authzProfile-1: VLAN=Employees, DACL=permitALL

authzProfile-2: VLAN=ACCESS, Reauthentication with Timer=1800

SecureGroup=Employees

The combined shall be: VLAN=Employees, DACL=permitALL, Reauthentication with Timer=1800, SecureGroup=Employees