Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3404
Views
5
Helpful
3
Replies

Logical Profiles in ISE 1.2.1

Go to solution
MeMySelfundCisco
Level 1
Level 1

‎07-25-2014 07:33 AM - edited ‎03-10-2019 09:53 PM

I´m having trouble understanding the Logical Profiles. 

What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510

for those to lazy to read: 

You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.

 

so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 

But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 

Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 

 

Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D

 

Thanks alot for your help!  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎07-29-2014 01:32 AM

Nice username! :)

So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎07-29-2014 01:32 AM

Nice username! :)

So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Go to solution
MeMySelfundCisco
Level 1
Level 1
In response to nspasov

‎07-29-2014 02:34 AM

AWESOME! 

it works! How cool is that. O.k a bit complicated, but what the heck. it works! thanks alot for your help! 

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to MeMySelfundCisco

‎07-29-2014 09:16 AM

No problem! Glad I could help :)

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents