I am running ISE 2.4 with patch 4.
In the authorization policy is it possible to push two authorization profiles?
If yes, then which ones will take the precedence?
Or is this something that the design of ISE does not allow?
Any pointers or documentation to achieve this?
Solved! Go to Solution.
I was thinking about a use case, where the WLC has ACL has a limitation of 64 lines in single ACL. So, what if I create multiple dACL and push them via authorization profiles, thus increasing the overall capacity.
bern81 is correct that WLC not using DACL. If needing many ACEs, then you should consider another solution (e.g. ASA) to perform the enforcement.
If the matched authz policy rule has multiple profiles. They are combined in such way that distinct attributes will all apply and the first values of the same attributes will apply.
For example, the following rule has three authz profiles:
As the DACL is unique and VLAN assignments are duplicated, the resulting permissions would have DACL PERMIT_ALL and the first VLAN assignment, which set to 100.