Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
7
Replies

Push two authorization profiles in one authorization policy

Go to solution
dgaikwad
Level 5
Level 5

‎02-08-2019 01:06 AM - edited ‎03-11-2019 01:55 AM

Hello Experts,
I am running ISE 2.4 with patch 4.
In the authorization policy is it possible to push two authorization profiles?
If yes, then which ones will take the precedence?
Or is this something that the design of ISE does not allow?

Any pointers or documentation to achieve this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bern81
Level 1
Level 1
In response to dgaikwad

‎02-11-2019 04:17 AM

Hi,
I know this is not directly related to your question but I don't think you can push DACL to WLC, you can create ACL locally on the WLC and call it by its name in the Authorization profile via "airspace ACL" option.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-08-2019 01:42 AM

No you can't combine two profiles in one rule. With the profile you can
combination of ands and ors nested
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-08-2019 08:24 AM

I think you might get more helpful advise if you were to try and explain why you think you need two authorization results. To clarify the terms, I'm assuming authorization results because that's what ise would send back to the switch/wlc. As indicated in the previous post, it's not possible, but there are usually ways to accomplish most rule requirements.
0 Helpful

Go to solution
dgaikwad
Level 5
Level 5
In response to Damien Miller

‎02-11-2019 02:27 AM

I was thinking about a use case, where the WLC has ACL has a limitation of 64 lines in single ACL. So, what if I create multiple dACL and push them via authorization profiles, thus increasing the overall capacity.

0 Helpful

Go to solution
bern81
Level 1
Level 1
In response to dgaikwad

‎02-11-2019 04:17 AM

Hi,
I know this is not directly related to your question but I don't think you can push DACL to WLC, you can create ACL locally on the WLC and call it by its name in the Authorization profile via "airspace ACL" option.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dgaikwad

‎02-11-2019 06:59 AM

bern81 is correct that WLC not using DACL. If needing many ACEs, then you should consider another solution (e.g. ASA) to perform the enforcement.

0 Helpful

Go to solution
dgaikwad
Level 5
Level 5
In response to hslai

‎02-11-2019 11:47 PM

Well, that makes sense...

Thank you for all the inputs...

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-09-2019 03:40 PM

If the matched authz policy rule has multiple profiles. They are combined in such way that distinct attributes will all apply and the first values of the same attributes will apply.

For example, the following rule has three authz profiles:

  1. dACL PermitALL -- with the attribute for DACL -- PERMIT_ALL
  2. vlan 100 -- with the common task VLAN set to 100
  3. vlan 101 -- with the common task VLAN set to 101

Screen Shot 2019-02-09 at 3.36.43 PM.png

As the DACL is unique and VLAN assignments are duplicated, the resulting permissions would have DACL PERMIT_ALL and the first VLAN assignment, which set to 100.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents