ISE Certainty calculation

           Hello
We  have a profiling policy for a firm XP device, and I am tring to see each if it passes the 6 rules that we have I am. this is forour legacy machines which we will kill when xp dies and all new machines will have dot1x configured. This rule works most times except when the Certainty factor is 0
1)nmap to determine OS  Certfactor 10
2)workstation rule test      Certfactor 20
3)hostname validation      Certfactor 40
..n
The certainty values are set by 8bit value so i can quickly decern the reason for failure,
I am looking at the profiler log and trying to determine which one it is failing and the results.... It does not seem to be very clear in the log an the score and calculation... for each that is passed.
any insight is appreciated.
James

Hi salodh
as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

Similar Messages

  • Unplanned Depreciation not reducing Base Value

    Hi all,
    Assets created in SAP. At a point, these assets had stopped
    depreciating in sub-ledger but seems as if depreciation continued to be
    provided for directly in the GL manually (via a jnl).
    User wishes to re-capture the revised APC and Accumulated Depreciation
    values back into the asset sub-ledger so that SAP will automatically
    depreciate the assets according to their remaining useful life.
    User has used a Write-up transaction to load the APC value. After
    write-up posted, depreciation ise being calculated as expected. To get
    the Accumulated Depreciation value into SAP, the user has posted
    Unplanned Depreciation (TTY Type 640). However, when this is posted,
    depreciation is not being calculated evenly over remaining useful life
    of asset. For Year 1, depreciation is being calculated from Write-Up
    (APC) values ONLY, and the Unplanned Depr (representing Accumulated
    Depr) has NOT been taken into account. Unplanned Depr is only taken
    into account from Year 2. This is leading to dis-proportionate depr
    values in comparison from Year 1 to subsequent years across the
    remaining life of the asset.
    Have been testing period controls, and depr key set up but no luck.
    Any ideas or suggestions will be much appreciated.

    Dear Dattatray,
    The issue here is not with the fact that no depreciation values have posted.  The issue is with the values that have been posted.  Let me illustrate by way of example.
    Asset start date for depr:  Changed to 01.01.2008
    Useful life of asset:  3 years, 4 months (40 months)
    Write up of asset posted March 2008:  EUR 135,492.18
    Unplanned Depr of asset posted March 2008 EUR 93,605.12
    Therefore, Net Book Value = EUR 41,887.06
    Depreciation run happened in March after ABAA entry.
    Expectation:-
    Based on this NBV of EUR 41,887.06 you would expect depr to post at EUR1,047.18 per month (41,887.06 / 40 months) over the remaining life of asset.  In this case, 3 months would be caught up in March as asset depr start date is 01.01.2008, and balance of EUR1,047.18 to be posted per month until asset written off 3 years and 4 months down the line.
    What is happening in SAP:-
    Depreciation for FY 2008 is only being calculated on the write-up value of EUR 135,492.18 and not the NBV.  Therefore, for FY2008, depreciation is being calculated at EUR 3,387.30 per month (EUR135,492.18 / 40 months).
    If i look at FY2009, the Unplanned Depr value of EUR 93,605.12 is now taken into account.  Therefore, NBV at start of FY2009 is Write up 135,492.18 less Unplanned Depr 93,605.12 less Depr in 2008 (12 months) 40,647.60 = NBV EUR1,239.46.  This new NBV over remaining life which is now 28 months is EUR 44,27 per month, or EUR 531.19 for the year.
    So in FY2008, Depr posted = EUR 40,647.60 (3,387.30 per month)
    In FY2009, depr posted = EUR 531.19 (44.27 per month)
    In FY 2010, depr posted = EUR 531.19 (44.27 per month)
    In FY 2011, asset gets written off.
    You can see that year 1 is highly inflated and Years 2 thru remaining life is smoothed.  This is not correct.  We would expect the depr to be smoothed every month from the start i.e. EUR 1,047.18 per month or 12,566.11 in FY2008, 12,566.11 in FY2009, 12,566.11 in FY 2010 and then written off in 2011.
    I hope this helps to explain the current problem.
    Thanks.

  • ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

    Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
    Profiling Configure and Endpoint Detail in attachment below

    Hi salodh
    as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

  • ISE 1.2/1.2.1 license consumption issues

    Hi all, I know this topic is somewhat done to death but I want to know whether anyone else is experiencing this issue. In summary my ISE deployment (right this minute) has 17 Active sessions with 17 base and 17 plus licenses consumed. My issue with this is that of the 17 active sessions only 8 of these sessions are utilising a plus feature ie the registration status in the authorisation policy. In short at all times the plus license consumption always matches the base license consumption.
    I have continually had this issue with all ISE deployments whereby the license consumption does not reflect Cisco documentation and my configurations. Without giving screenshots I can say with certainty that the only plus feature been used is the BYOD onboarding and subsequent registration status in the authz policy. The rest of my policies are straight forward CWA guest and EAP-TLS machine cert authorisations with no profiling information used in the policy. I have gone so far as to turn off profiling and removing BYOD policies with the same results.
    The following document clearly states what should and shouldn't consume a license:
    http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf
    Any input would be appreciated.

    The bug is listed as fixed, but I don't see which software it is fixed in. I must admit I've seen this problem for months, probably over a year now. It was already the case on 1.1.4 at least. I have some customers using 1300 of 500 advanced licenses.
    It would be nice if it functioned exactly as the documentation always said. It would give you a warm feeling that things will keep working when the advanced license expires entirely (I'm sure we'll find out soon).
    At one point I was told it was under discussion whether to fix the problem, or to fix the documentation to fit the problem, but last I heard it would be fixed at some point in the future. Every time we get a call regarding new software (1.2.1, 1.3) I make sure I ask them that the trust based licensing continues. We're OK as long as trust based licensing continues, but it's scruffy and hard to explain to customers why it shows 3 times as many advanced users as they already have. And then on occasions you see their eyes light up when they realise they can run 3000 advanced and Cisco will be none the wiser, or alternatively that they could have got away with a 100 user license and you've just cost them a 5000 user license that nobody can tell if they are using or not.

  • ISE 1.2 Profiling - User Agent attribute incorrect

    Hi all,
    Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
    Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

    "Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
    The suppression feature will not affect the re-profiling of a device.  The suppression only affects the logging on the MnT node.  Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event. 
    You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen.  Again, an understanding of how profiles work is not the issue here.  
    For example say only the RADIUS and HTTP probes are being utilized for an endpoint.  There are two endpoints one is a iPad and the other an iPhone.  The endpoint attributes that are known about the device are the MAC OUI and the useragent. 
    Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad.  The first common item is that the MAC OUI is identified as apple.  This increases the certainty factor by 10.  The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone.  Both of those conditions would increase the certainty factor by 20 for a total of 30.  Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone.  Same goes for iPad, but iPad in the useragent. 
    Like smcbridebpc stated every application that uses HTTP will have a useragent string.  The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices.  If an application on the device sends a useragent string such as  "OCSPD\1.0.2" which is obviously the OCSP Daemon.  This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device.  Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.   
    The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend)  OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents. 
    If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.  
    It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
    https://tools.cisco.com/bugsearch/bug/CSCuj45373

  • ISE won't match configured profiling policy

    I'm trying to match Cisco LAPs (any kind of) using profiling in my AuthZ policies, yet the specific AP (a 1252 model) always gets profiled as 'Cisco-Aironet-AP-1250' instead of the desired, more generic 'Cisco-AIR-LAP' policy. To change this behaviour, I've tried to work with a simple match ('LLDP:lldpSystemDescription CONTAINS K9W8') and give this policy a high certainty factor of 150, yet it doesn't work.
    How can I force any kind of LAP (that must not contain any autonomous AP) to get profiled in a generic LAP policy which I can use in an AuthZ policy?
    I'm using ISE 1.2, patch 6.
    Thanks, Toni

    Hi, thanks for your reply. That's almost a winner...meanwhile, I escalated this to TAC. Basically, attribute value "cisco AIR-LAP" would do, but there's a bug that needs to be considered with ISE 1.2, patch 6:
    https://tools.cisco.com/bugsearch/bug/CSCuo78457

  • IOS Device-Sensor and ISE profiling not working

    Hello,
    I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.
    Switchconfig:
    device-sensor filter-list dhcp list dhcp-list
     option name host-name
    device-sensor filter-spec dhcp include list dhcp-list
    device-sensor accounting
    device-sensor notify all-changes
    Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:
    Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
    Proto Type:Name                       Len Value
    DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                              38
    RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).
    I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.
    Is this supposed to work?

    That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.
    Couple of more things:
    1. What profiling probes do you have enabled?
    2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?
    3. Do you have the following commands entered on your switch:
    access-session template monitor
    no macro auto monitor
    device-sensor accounting
    device-sensor notify all-changes

  • Exceeding ISE license counts - performance consequences?

    Hello,
    I have a customer that is running a 2-node ISE deployment and is licensed for 250 Base and 250 Adv. users.
    We have moved the wired users over in one of their offices into Monitor Mode only, and the Base/Adv. Active license counts have exceeded both these values.
    Long-term, what is the operational impact?
    I understand from Chapter 7 of the ISE User Guide that "To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generate alarms when endpoint counts exceed the licensed amounts"
    My question is, that aside from a scenario where TAC is engaged and they see the license count exceeded, what is the operational and functional impact of exceeding the license count.  I know that ISE continues to process autthentications, because the 251st client is not refused access.
    I've read the Order Guide and the User Guide and the Hardware Guide, and no actual impact is mentioned.
    thanks in advance,
    Andrew

    I had a similar question. I asked how does ISE calculate users. In the wlc I would see 10k radius clients but ISE would show half that number. This is what I was told:
    Unfortunately there is no documentation on it. The active endpoints are calculated from the active sessions seen on the primary monitoring node session database, meaning active client sessions seen by PSNs and reported to the primary monitoring node. As to the rules that qualify an endpoint as active, there isn?t really even any internal documentation on that. The effective behavior seen indicates that this is calculated by endpoints who authenticate and continue to re-authenticate/periodically trigger accounting updates from NADs. Hopefully this helps!
    Tac case # 627456397
    Sent from Cisco Technical Support iPad App

  • RADIUS Probe on WLC for ISE

    I am doing a Proof-of-Concept for wireless, and I'm getting the infamous "Unknown" endpoint for a device that should be getting profiled as a Windows-Workstation based on the info that I received from Identity-Endpoints section.  My question is whether it is possible pull out the information from the attribute list of the endpoint (such as tcp port 135) to use as a profile?
    Here are the attributes:
    Endpoint
    * MAC Address 
    * Policy Assignment      
    Static Assignment        
    * Identity Group Assignment      
    Static Group Assignment           
    Attribute List
    135-tcp msrpc
    139-tcp netbios-ssn
    3389-tcp            ms-term-serv
    445-tcp microsoft-ds
    ADDomain         truncated
    AcsSessionID    ise-poc/133205055/184
    Airespace-Wlan-Id          10
    AuthState          Authenticated
    AuthenticationIdentityStore         AD1
    AuthenticationMethod     MSCHAPV2
    AuthorizationPolicyMatchedRule truncated
    CPMSessionID  0a64001d00000005502568b6
    Called-Station-ID            64-d9-89-43-09-70:NACTEST1
    Calling-Station-ID           18-3d-a2-92-0a-ec
    DestinationIPAddress    
    DestinationPort  1812
    Device IP Address         
    Device Type       Device Type#All Device Types#WLCs
    DeviceRegistrationStatus            notRegistered
    EapAuthentication          EAP-MSCHAPv2
    EapTunnel         PEAP
    EndPointMACAddress    18-3D-A2-92-0A-EC
    EndPointMatchedProfile Unknown
    EndPointPolicy  Unknown
    EndPointProfilerServer    ise-poc
    EndPointSource RADIUS Probe
    ExternalGroups  ad.tdfadfa.org/departments/is/groups/sms-remote\,truncated
    FQDN   lc20-isnetwrk03.ad.xxxxxx.orgg.
    Framed-IP-Address       
    IdentityAccessRestricted            false
    IdentityGroup     Unknown
    IdentityPolicyMatchedRule          Default
    LastNmapScanTime       2012-Aug-10 16:30:41 CDT
    Location            Location#All Locations#
    MACAddress     18:3D:A2:92:0A:EC
    MatchedPolicy   Unknown
    MessageCode   5200
    Model Name      Unknown
    NAS-IP-Address            truncated
    NAS-Identifier    truncated
    NAS-Port          13
    NAS-Port-Type  Wireless - IEEE 802.11
    NetworkDeviceGroups    Device Type#All Device Types#WLCs, Location#All Locations#truncated
    NetworkDeviceName      WLC09
    NmapScanCount            2
    OUI       Intel Corporate
    PolicyVersion    4
    PostureAssessmentStatus         NotApplicable
    RequestLatency 54
    Response          {User-Name=foo\\webb; State=ReauthSession:0a64001d00000005502568b6; Class=CACS:0a64001d00000005502568b6:-poc/133205055/184; Termination-Action=RADIUS-Request; MS-MPPE-Send-Key=9c:b0:32:f4:ec:35:91:8a:6a:fc:87:05:ba:6a:4a:3c:fd:7e:3a:bb:ff:dc:c6:cd:36:ed:14:63:3b:88:34:18; MS-MPPE-Recv-Key=16:62:80:7d:6f:1e:09:5f:24:ed:f5:5e:c5:af:7d:fb:ef:95:c4:12:f8:55:f8:52:da:dd:b0:7b:9f:69:04:ce; }
    SelectedAccessService  Default Network Access
    SelectedAuthenticationIdentityStores       AD1, Internal Users, Internal Endpoints
    SelectedAuthorizationProfiles      PermitAccess
    Service-Type      Framed
    Software Version            Unknown
    StaticAssignment          false
    StaticGroupAssignment  false
    Total Certainty Factor     0
    attribute-52        00:00:00:00
    attribute-53        00:00:00:00
    cisco-av-pair      audit-session-id=0a64001d00000005502568b6
    ip          truncated
    operating-system           Microsoft Windows XP SP2 or SP3

    James,
    That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
    There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
    However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
    Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
    Hope that helps,
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ISE: External RADIUS Server

    Hi,
    I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
    So, how can I use this external RADIUS server to process my request ?
    Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
    If anyone use this, please suggest this to me.
    Thanks,
    Pongsatorn

    Defining an External RADIUS Server
    The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
    The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
    To create an external RADIUS server, complete the following steps:
    Step 1 Choose Administration > Network Resources > External RADIUS Servers.
    The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
    Step 2 Click Add to add an external RADIUS server.
    Step 3 Enter the values as described:
    •Name—(Required) Enter the name of the external RADIUS server.
    •Description—Enter a description of the external RADIUS server.
    •Host IP—(Required) Enter the IP address of the external RADIUS server.
    •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
    •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
    •Key Encryption Key—This key is used for session encryption (secrecy).
    •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
    •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
    –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
    –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
    •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
    •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
    •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
    •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
    Step 4 Click Submit to save the external RADIUS server configuration.

  • ISE Probe attribute overlap

    I'm curious what is the logic in ISE 1.3 when more than one probe report different information for an endpoint. Say an endpoint with a MAC address got identified, and next it gets two different IP addresses for the same MAC from DHCP probe and maybe from SNMP CDP cache probe? Which one will it prefer? It appears that maybe it takes the last probe updated received regardless of the probe, is that correct?

    Profiling attributes are constantly collected and stored in the ISE database. One attributed is not preferred over the other. Instead, it is the profiling rules that decide how a device is profiled. More specifically, Profiling rules with higher Certainty Factor are preferred over the others. For instance, a device is profiled as a "Cisco Phone" with a CF=10. Later on, more attributes are collected, and now ISE has enough information to match a Profiling Rule for Cisco-IP-Phone-7945 with CF=30. As a result, the device will be profiled as a Cisco-IP-Phone-7945. 
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE bandwidth advise

    I am facing hardtime regarding ISE latency and bandwidth. We have 2 DC and 2500 endpoint for basic AAA.Please on how to calculate ISE latency and bandwidth

     you can download ISE bandwidth and latency calculator  here
    ATP Partner Resource Center
    http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp

  • Tax Calculation of free goods

    Hi
    We have a requirement where the client wants only VAT to be posted in GL accounts and not the price.For this I tried free goods condition type R100 with AltCBV 28.But the VAT value is also coming zero. I want the VAT to be calculated on Pricing condition and then give 100% discount.
    Apart from this I also tried to make pricing condition statistical and calculate VAT on it but then also system gives zero value for VAT.
    Also wondering if the scenario can be addressed with Free of Change Dellivery.

    Hi
    Normally in scenario where you are dealing with samples , there are cases you have to charge only TAXES / EXCISE part.
    Here my SUGGESTION is you can handle this through a simple sales order process, where you have to configure a new pricing procedure.
    1. Create a new document type to handle samples.
    2. Create a New pricing procedure where you can keep the basic price condtion as Statistical and rest all same as wht is is there your main pricing procedure. Just juggle with the TO-FROM to capture the TAX part in the total.
    3. Doc pricing procedure will help you to pick the new Pricing procedure
    4. Now Process this as a normal sales order
    5. This new document type will help you to have a proper reporting.
    The only constraint here is USER has to punch a fresh order seperately for such scenario. He cannot give a free good in the same sales order which is used as standard.
    The other way is you can configure a FREE GOOD Determination procedure as suggested  where you need to then have your Single pricing procedure accomodating the same scenario.
    Thanks
    RB

  • Logical Profiles in ISE 1.2.1

    I´m having trouble understanding the Logical Profiles. 
    What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510
    for those to lazy to read: 
    You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.
    so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 
    But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 
    Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 
    Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D
    Thanks alot for your help!  

    Nice username! :)
    So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile
    Hope this helps!
    Thank you for rating helpful posts!

  • IF statement in Calculated Field for Share point, doesnt calculate sum in my Excel Pivot table.

    Hi Everyone
    I used this in SP calculated column field.
    =IF([Shift Sched]="1pm to 10pm","0",IF([Shift Sched]="2pm to 11pm","1",IF([Shift Sched]="3pm to 12am","2",IF([Shift Sched]="4pm to 1am","3",IF([Shift Sched]="5pm to 2am","4",IF([Shift
    Sched]="6pm to 3am","5",IF([Shift Sched]="7pm to 4am","6",IF([Shift Sched]="8pm to 5am","7",IF([Shift Sched]="9pm to 6am","8",IF([Shift Sched]="10pm to 7am","8",IF([Shift
    Sched]="11pm to 8am","7",IF([Shift Sched]="12pm to 9am","6",IF([Shift Sched]="1am to 10am","5",IF([Shift Sched]="2am to 11am","4",IF([Shift Sched]="3am to 12pm","3",IF([Shift
    Sched]="4am to 1pm","2",IF([Shift Sched]="5am to 2pm","1",IF([Shift Sched]="6am to 3pm","0",IF([Shift Sched]="7am to 4pm","0",IF([Shift Sched]="8am to 5pm","0",IF([Shift
    Sched]="9am to 6pm","0",IF([Shift Sched]="10am to 7pm","0",IF([Shift Sched]="11am to 8pm","0",IF([Shift Sched]="12pm to 9pm","0"))))))))))))))))))))))))    
    it was able to work fine however my issue is when i extract the information to excel and use a pivot table the table is not able to calulate the sum of the value for this field. Can you please help me with this. this is for an Attendance traker for Night
    Differential pay for employees. they create a daily log of their shift schedule and if i summarize this in pivot the value in the calculated field for this is not getting the sum.
    Thanks,
    Norman

    Hi Everyone
    I used this in SP calculated column field.
    =IF([Shift Sched]="1pm to 10pm","0",IF([Shift Sched]="2pm to 11pm","1",IF([Shift Sched]="3pm to 12am","2",IF([Shift Sched]="4pm to 1am","3",IF([Shift Sched]="5pm to 2am","4",IF([Shift
    Sched]="6pm to 3am","5",IF([Shift Sched]="7pm to 4am","6",IF([Shift Sched]="8pm to 5am","7",IF([Shift Sched]="9pm to 6am","8",IF([Shift Sched]="10pm to 7am","8",IF([Shift
    Sched]="11pm to 8am","7",IF([Shift Sched]="12pm to 9am","6",IF([Shift Sched]="1am to 10am","5",IF([Shift Sched]="2am to 11am","4",IF([Shift Sched]="3am to 12pm","3",IF([Shift
    Sched]="4am to 1pm","2",IF([Shift Sched]="5am to 2pm","1",IF([Shift Sched]="6am to 3pm","0",IF([Shift Sched]="7am to 4pm","0",IF([Shift Sched]="8am to 5pm","0",IF([Shift
    Sched]="9am to 6pm","0",IF([Shift Sched]="10am to 7pm","0",IF([Shift Sched]="11am to 8pm","0",IF([Shift Sched]="12pm to 9pm","0"))))))))))))))))))))))))    
    it was able to work fine however my issue is when i extract the information to excel and use a pivot table the table is not able to calulate the sum of the value for this field. Can you please help me with this. this is for an Attendance traker for Night
    Differential pay for employees. they create a daily log of their shift schedule and if i summarize this in pivot the value in the calculated field for this is not getting the sum.
    Thanks,
    Norman

Maybe you are looking for