Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE ACL merging?

Hello all,

I would like ask you about some technology help  ..

Customer would like create policy model for remote-access services based on „roles“. For example :

User1 is member of GroupA in LDAP and is member of GroupB as well.

Security GroupA specify access to some resources (can be represented as ACL, ACL-A), security GroupB is represented as other pool of resources (as well can be represented as ACL, for example ACL-B).

Final status is, if VPN client will connect, he will get authorization based on both ACL-A and ACL-B.

How can we dynamicaly provide „merging“ of ACLs ?

ACL merging can’t be provided manualy, because there can be more then 2 security groups and there are more VPN users, which can have various combination of security groups membership.

Thanks a lot for your help,

Regards,

Peter

Everyone's tags (3)
4 REPLIES
New Member

Re: ISE ACL merging?

Hi

Did you found any solution ?
Hall of Fame Super Silver

Re: ISE ACL merging?

You can only apply a single Authorization Result for a given Authorization Profile.

 

You could create separate custom results and have the profile check for the various combinations and permutations of groups to which a user belongs. That could quickly get out of hand though as there are potentially n*(n-1) of those.

New Member

Re: ISE ACL merging?

Hi,

 

Main challange I have that I need to implement multimatch of AD groups. Like user 1 belongs to A and B group and user 2 to B group and gets access correspondingly. There will be alot of users and conbinations of access, so I can't define all the conditions. I can't see any option on ISE to do that..

Hall of Fame Super Silver

Re: ISE ACL merging?

I am wondering how do they restrict access for those users when they are connected locally?

768
Views
0
Helpful
4
Replies
CreatePlease to create content