cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
283
Views
0
Helpful
7
Replies
Highlighted
Contributor

Push two authorization profiles in one authorization policy

Hello Experts,
I am running ISE 2.4 with patch 4.
In the authorization policy is it possible to push two authorization profiles?
If yes, then which ones will take the precedence?
Or is this something that the design of ISE does not allow?

Any pointers or documentation to achieve this?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Push two authorization profiles in one authorization policy

Hi,
I know this is not directly related to your question but I don't think you can push DACL to WLC, you can create ACL locally on the WLC and call it by its name in the Authorization profile via "airspace ACL" option.

View solution in original post

7 REPLIES 7
VIP Advisor

Re: Push two authorization profiles in one authorization policy

No you can't combine two profiles in one rule. With the profile you can
combination of ands and ors nested
VIP Advocate

Re: Push two authorization profiles in one authorization policy

I think you might get more helpful advise if you were to try and explain why you think you need two authorization results. To clarify the terms, I'm assuming authorization results because that's what ise would send back to the switch/wlc. As indicated in the previous post, it's not possible, but there are usually ways to accomplish most rule requirements.
Contributor

Re: Push two authorization profiles in one authorization policy

I was thinking about a use case, where the WLC has ACL has a limitation of 64 lines in single ACL. So, what if I create multiple dACL and push them via authorization profiles, thus increasing the overall capacity.

Beginner

Re: Push two authorization profiles in one authorization policy

Hi,
I know this is not directly related to your question but I don't think you can push DACL to WLC, you can create ACL locally on the WLC and call it by its name in the Authorization profile via "airspace ACL" option.

View solution in original post

Cisco Employee

Re: Push two authorization profiles in one authorization policy

bern81 is correct that WLC not using DACL. If needing many ACEs, then you should consider another solution (e.g. ASA) to perform the enforcement.

Contributor

Re: Push two authorization profiles in one authorization policy

Well, that makes sense...

Thank you for all the inputs...

Everyone's tags (2)
Cisco Employee

Re: Push two authorization profiles in one authorization policy

If the matched authz policy rule has multiple profiles. They are combined in such way that distinct attributes will all apply and the first values of the same attributes will apply.

For example, the following rule has three authz profiles:

  1. dACL PermitALL -- with the attribute for DACL -- PERMIT_ALL
  2. vlan 100 -- with the common task VLAN set to 100
  3. vlan 101 -- with the common task VLAN set to 101

Screen Shot 2019-02-09 at 3.36.43 PM.png

As the DACL is unique and VLAN assignments are duplicated, the resulting permissions would have DACL PERMIT_ALL and the first VLAN assignment, which set to 100.