Showing results for 
Search instead for 
Did you mean: 

Transitioning Through Profiles (Profile Stacking)

Level 1
Level 1



I am using:



Installed Patches 2

Product Identifier (PID) ISE-VM-K9

Version Identifier (VID) V01

ADE-OS Version


I have a question about “stacking” profiles. By stacking, I mean, I have setup ISE to NMAP and profile an factory new endpoint to an initially trusted endpoint profile and assign it to an identity group as a candidate for further processing.


The initial profile works great, the NMAP performs its scan, meeting a profiler policy condition through customized NMAPExtension and the system places the endpoint in a selected Identity Group called “candidate”.


Life would be so easy if I left the endpoint in this state, but I have this access requirement to first profile the endpoint and use a graduated approach from a candidate (member of this identity group) to a higher set of authorizations including VLAN/dACL assignment.


My initial approach was to build a policy set outside of the initial working set that bought the “layer0-endpoint” to “layer1-candidate” and then once in the candidate stage, authorized it to a different authorization profile, turning it into “layer2-release”. Obviously, I am performing configurations to the endpoint when they transition through the phases – including an eventual DOT1X implementation in the end.


Goes from out of the factory sealed box and added to the network - layer0-endpoint -> layer1-candidate -> layer2-release


I’ve tried a few things, yet nothing is working. At this point, I’m unsure it is even possible to first profile an endpoint into a candidate and then into release – or my profile stacking concept.


Any points or artlicles which may help please…




2 Replies 2

Level 1
Level 1



So my question is not related to stacking profiles (I guess considered "reprofiling")... I suppose I want to create a new policy set to apply to the “layer1-candidate” after it has been given an Identity Group Assignment to my group - and then once you become a member of that group, you get updated permissions (new VLAN/dACL) given the endpoint modified access.


I just do see how this is done with the Policy Set Conditions Studio. I just don't see a dictionary which allowes me to choose some of the ISE parameters like the grouping the endpoint belongs to or its currently assigned policy.

Cisco Employee
Cisco Employee

Chris: You are correct that endpoint groups or attributes are not currently available as conditions to select a policy set. Thus, you would need to use the same policy set or key off others.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: