A company has deployed Cisco ISE for network access control. After a recent upgrade, the operations team notices that some users are being assigned incorrect authorization profiles. The ISE logs show that the users are being matched to the correct identity group, but the authorization result is different from expected. What is the most likely cause?
ISE uses first-match logic for authorization policies.
Why this answer
In Cisco ISE, authorization policies are evaluated in top-down order, and the first matching rule is applied. Even if users are correctly assigned to an identity group, a higher-priority authorization policy rule that matches on other conditions (e.g., endpoint profile, device type, or time condition) can override the expected result. This is the most likely cause when authentication and group assignment are correct but the authorization result is unexpected.
Exam trap
Cisco often tests the concept that authorization policies are evaluated in order of precedence, and candidates mistakenly focus on authentication or group assignment when the real issue is rule ordering in the authorization policy.
How to eliminate wrong answers
Option A is wrong because the passive identity feature (e.g., Active Directory passive identity) is used for identity mapping and does not override group assignments; it only provides identity context for authentication. Option C is wrong because if the network device group assignment had changed, the device would likely fail authentication or be matched to a different policy set, not cause incorrect authorization profiles while still matching the correct identity group. Option D is wrong because the question states that users are being matched to the correct identity group, which means the authentication policy is working correctly; a misconfigured authentication policy would place users in the wrong group, not result in correct group matching with wrong authorization.