Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
4
Replies

I need advise of how to merge Authorization Profiles in a Policy Set.

Amen
Level 1
Level 1

‎06-11-2024 06:33 AM

We have a need to merge Authorization Profiles in a Policy Set. By default, ISE will select the first match for a RADIUS attribute and will not combine any other matches that contains that attribute. Only single statements with multiple Authorization Policies as the result are combined.

For example, if I have the following conditions, only the “Allow123” result is sent and the “AllowXYZ” result is ignored:

Condition: AD=Group123, Attribute: EfficientIP:EfficientIP-Groups = Allow123
Condition: AD=GroupXYZ, Attribute: EfficientIP:EfficientIP-Groups = AllowXYZ

We need to find a way to merge the resulting attribute values, while maintaining the 1-to-1 relationship from AD group to Profile mapping, so that the result is:

EfficientIP:EfficientIP-Groups = Allow123,AllowXYZ

A single statement with multiple Authorization Policies does not work for this requirement as there is no way to keep the AD Group to attribute relationship.

 

Thanks for you in advance

0 Helpful
4 Replies 4

Torbjørn
Spotlight
Spotlight

‎06-11-2024 07:07 AM

The way to go about this is to maintain one authorization profile per group you wish to authorize, mapped to a single result. If i am interpreting your post correctly, you are running into a situation where a user is both the member of group Group123 and GroupXYZ? If so you will need to prioritise one over the other, unless you can filter based on a secondary AD attribute as well. 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Amen
Level 1
Level 1
In response to Torbjørn

‎06-14-2024 08:55 AM

Prioritization doesn’t work for this situation, because I need multiple results to be merged as the user is a member of multiple EfficientIP groups that have different security access.

 

If we use prioritization, the users only have partial access to what they need access to in EfficientIP.

 

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎06-18-2024 04:48 PM

I don't understand what an EfficientIP group is but you may return multiple ISE Authorization Profiles per authorization rule.

image.png

Duplicate attributes are allowed by the RADIUS protocol but how they are interpreted by the network device (first wins vs last wins) is implementation dependent. Test carefully - your mileage may vary.

0 Helpful

MHM Cisco World
VIP
VIP

‎06-20-2024 12:09 PM

the Condition is like IF and profile like THEN

then can not be two profile 
why you not use new AD profile and result is one authz profile ?

MHM

0 Helpful
Customers Also Viewed These Support Documents