Solved: ISE 2.4 Multiple Matched Rule Applies

Asif Akash · ‎06-13-2018

Greetings Experts,

Does ISE 2.4 Authorization policy have the option to do "Multiple Matched Rule Applies"?

Br,

Asif

Craig Hyps · ‎06-13-2018

Multi-match was only supported in Simple Policy mode and currently deprecated in 2.3/2.4 where strictly Policy Set mode.

Craig

View solution in original post

paul · ‎06-13-2018

Asif,

I don't have any of my customers at 2.4 yet, but I don't think this is supported. What is the use case you are trying to solve?

Asif Akash · ‎06-13-2018

Customer need to match multiple authorization profiles based on matched rules which existed in 2.2. However after upgrade to 2.4, we can only see Default policy set and don’t have the option to “Multiple Matched” rule under Authorization policy.

--

Asif A

Damien Miller · ‎06-13-2018

Hello Asif,

I have run many ISE implementations but I am not familiar with any ability to match multiple authorization rules. Typically you build ISE on a first match design. You can create multiple policy sets, each policy set will have authentication conditions that must be matched. Once you match an authentication rule in a policy set you then hit a configured authorization rule.

Within both the authentication rules and authorization rules of a policy set you can set up compound conditions. These conditions must be met to be matched.

It sounds like when you upgraded it might have merged your existing 2.2 policy set incorrectly, or in a way that doesn't match your needs. You shouldn't need to match two rules to authenticate the same endpoint.

Craig Hyps · ‎06-13-2018

Multi-match was only supported in Simple Policy mode and currently deprecated in 2.3/2.4 where strictly Policy Set mode.

Craig

ISE 2.4 Multiple Matched Rule Applies

【原创】升级ISE到2.4版本

Dial-peer not matching, shouldn't longest-prefix rule apply?

2.4 Cisco ISE Context Visibility Features

ISE 2.4　MnT Access tabについて

XDR: Automation Remote が Disconnected になる問題で取得すべき情報（version 2.4 まで）