1) Go to Policy->Profiling->Policies. Pick a group and change "Use Hierarchy" to "Create Matching Identity Group".
This way for each category, an specific group will be created. You can then assign a policy to the identity group and not use the default top-level hierachy policy.
2) Regarding your second question, i have been struggling at the same point. After some search, i realized that the Authentication page is only for which protocol you want to allow (ie MAB). What needs to happen with MAB, you need to define in the Authorization page.
There you can make a policy for example "if part of CISCO_PHONES" and "WIRED_MAB" then apply "VOICE policy" for example...don't know if this all true, but it seems to work..
Once you set a particular device group to create its own device group, you can then reference those devices from within the authorisation rules.
Here is an example of what I did for one customer, I specifically set my profiling service to group ipads, iphones, blueberries, HTC and android into their own groups as these were the only devices the client wanted to support. Based on the device types and if their user credentials were in a certain AD domain group they were allowed to connect to the BYO SSID and have limited access to the network, you will notice that some of my other rules reference Windows workstations:
To get around your problem with Users devices being authenticated via MAB and then being bypassed on the rest of the rules, you can either disable the MAB rule if your not using MAB, but with customers with 1000's of IP desk phones, you need MAB.
So limit the protocols in MAB authentication rule and make sure that the rule only references internal devices, wo when devices are trying to authenticate via a different Auth type, they dont match the mab rule.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...