Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Logical Profiles in ISE 1.2.1

I´m having trouble understanding the Logical Profiles. 

What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510

for those to lazy to read: 

You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.

 

so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 

But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 

Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 

 

Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D

 

Thanks alot for your help!  

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Nice username! :)So yes, you

Nice username! :)

So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
3 REPLIES
Cisco Employee

Nice username! :)So yes, you

Nice username! :)

So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

AWESOME! it works! How cool

AWESOME! 

it works! How cool is that. O.k a bit complicated, but what the heck. it works! thanks alot for your help! 

 

 

Cisco Employee

No problem! Glad I could help

No problem! Glad I could help :)

Thank you for rating helpful posts!
228
Views
5
Helpful
3
Replies
CreatePlease login to create content