https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3856541#M473150 <P>Thanks both of you, seems we can't indeed.&nbsp;</P> Wed, 15 May 2019 07:53:06 GMT Jeremy Dubrulle 2019-05-15T07:53:06Z https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3855227#M473144 <P>Hello,</P><P>&nbsp;</P><P>We are using ASA with Anyconnect VPN clients. The ASA asks the ISE to auth the user and the ISE checks the user with the Domain Controller. Once authentified, the ISE pushes downloadable ACL depending on the user. These ACL are then used by the ASA to restrict the rights of the user.</P><P>I'm not sure of how it works, I mean the exchange since the beginning until the ACL on the ASA, I don't know this thing. But I have to tell if we can replace the ASA by Fortigate and Forticlients. So I'm trying to understand how it works so that I can tell if the ISE can still pushes its ACL if it's a Fortigate instead of an ASA. Is it a thing we can only do if we have ASA with the ISE ?</P><P>&nbsp;</P><P>Can you help me, provide me documentation ?</P><P>&nbsp;</P><P>Thanks,</P> Mon, 13 May 2019 16:00:16 GMT https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3855227#M473144 Jeremy Dubrulle 2019-05-13T16:00:16Z https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3855372#M473147 <P>Please take a look at these:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html" target="_blank">ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113449-asa-vpn-acs-00.html" target="_blank">ASA 8.3 and Later: Radius Authorization (ACS 5.x) for VPN Access Using Downloadable ACL with CLI and ASDM Configuration Example - Cisco</A></P> <P><A href="http://www.petenetlive.com/KB/Article/0001156" target="_blank">AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part&nbsp;1)</A></P> <P><A href="http://www.petenetlive.com/KB/Article/0001156" target="_blank">AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)</A></P> Mon, 13 May 2019 19:09:23 GMT https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3855372#M473147 hslai 2019-05-13T19:09:23Z https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3855382#M473148 <P>I doubt the Fortigate will support dACLs.&nbsp; If you look at the details of the RADIUS live log record for your VPN traffic you can see the RADIUS Attribute/Value (AV) pairs passed between ISE and the ASA.&nbsp; The dACL is passed as AV pairs and needs to be supported by the network device.&nbsp; Only Cisco devices (and not all Cisco devices) support dACLs that I know of.</P> <P>&nbsp;</P> <P>I am guessing you can build ACLs on the Fortigate and assigning the user to a group on the Fortigate that limits their access, but I am not at Fortigate expert.</P> <P>&nbsp;</P> <P>This may help:</P> <P>&nbsp;</P> <P><A href="https://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&amp;sliceId=1" target="_blank">https://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&amp;sliceId=1</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 13 May 2019 19:15:43 GMT https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3855382#M473148 paul 2019-05-13T19:15:43Z https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3856541#M473150 <P>Thanks both of you, seems we can't indeed.&nbsp;</P> Wed, 15 May 2019 07:53:06 GMT https://community.cisco.com/t5/network-access-control/flows-between-an-asa-and-an-ise-with-dacl/m-p/3856541#M473150 Jeremy Dubrulle 2019-05-15T07:53:06Z