topic Re: 'dacl' option not showing in authorization profile in Network Access Control

'dacl' option not showing in authorization profile

ping2balaji — Mon, 21 Feb 2022 14:33:38 GMT

Hi Experts,

I am trying to configure downloadable-acl (or dynamic-acl dacl) under authorization profile.

Under 'authorization->downloadable acls' i have created a dacl with 'permit ip any any' in the name of 'dacl1'.

Then under 'policy -> results -> authorization -> authorization profiles' im trying to create authorization-profile but i am not able to see 'dacl' option under 'common tasks' as described in admin guides of cisco ise.

Its only 'ACL' option im seeing under 'common tasks' instead.

Am i missing some configuration/steps on why im not getting option to set dacl under authz profile?

Please clarify.

Thanks,

...Balaji.J

Re: 'dacl' option not showing in authorization profile

Karsten Iwen — Mon, 21 Feb 2022 15:12:38 GMT

Can you share a screenshot? It should be there as the first option:

Re: 'dacl' option not showing in authorization profile

ping2balaji — Mon, 21 Feb 2022 16:52:53 GMT

Thanks for the response @Karsten Iwen .

Attached the screenshot of authz profile for your reference.

I am using cisco ise-eval edition R3.1. Does that makes any difference like evaluation version does not support dacl or something?

Also i have tried applying dacl as shown below as a workaround for my test purpose:

"Navigate to Administration > Identity Management > Identities > Users > Add. Create a user and configure the custom attribute value with the name of the dACL that the user needs to get when authorized"

The new user i have created got authN success with Access-Accept message but it does not contain this custom-attribute dacl AVP in that msg. Any input here as well will help.

Thanks,

...Balaji.J

Re: 'dacl' option not showing in authorization profile

Mike.Cifelli — Mon, 21 Feb 2022 17:00:37 GMT

What version of ISE? It seems buggy, are you working with TAC? Have you tried other browsers?

Re: 'dacl' option not showing in authorization profile

Karsten Iwen — Mon, 21 Feb 2022 17:01:41 GMT

Your chosen "Network Device Profile" does not support DACLs. What kind of devices are you using? Do they support DACLs?

Re: 'dacl' option not showing in authorization profile

ping2balaji — Mon, 21 Feb 2022 17:51:10 GMT

Yes @Karsten Iwen , the network device profile which i have chosen is our custom profile pointing to our x86-based nas-server with radius-client in it and we are planning to use dacl in our own way. Is it like cisco-ise will send dacl only to known/predefined set of network-devices-profiles like HP/Aruba/Cisco/Ruckus ??

Update:

i have tried changing network-device-profile to Cisco, then i could see "DACL name" option under 'common tasks' in authz profile creation. Attached here the screenshot for reference. When i change the network-device-profile to anything other than Cisco , then the dacl option vanishes. Does this mean this dacl feature will work only for cisco devices? If i want to make dacl work for devices other than Cisco, is there some configuration i need to enable while creating new device-profile/device-group or adding device itself?

Re: 'dacl' option not showing in authorization profile

ping2balaji — Mon, 21 Feb 2022 17:31:50 GMT

Hi @Mike.Cifelli ,

I am using R3.1.0.518 Cisco-Evaluation version. Is there any limitation in eval?

Can you please clarify?

I am using chrome and also tried in ms-edge. Both places same issue.

Thanks,

...Balaji.J

Re: 'dacl' option not showing in authorization profile

tjezer — Mon, 21 Feb 2022 20:43:22 GMT

Hi @ping2balaji!

I hope you are doing well!

I think "vendor" attributes are not customizable, but maybe you can use
your custom profile with vendor "Cisco" and customize RADIUS Dictionaries
like you wish. Is it not enough for your purposes?

Regards,

Re: 'dacl' option not showing in authorization profile

ping2balaji — Tue, 22 Feb 2022 01:51:47 GMT

Hi @tjezer , so is it right to assume dacl feature is only for cisco network devices and does not work with any other vendor devices?

Re: 'dacl' option not showing in authorization profile

Karsten Iwen — Tue, 22 Feb 2022 09:26:12 GMT

It's not that it is only Cisco, but it is not a standard-feature. A vendor has to build its devices to support DACLs. Look at your vendor documentation if they do and if yes, you need to build your own Network device profile to "tell" the ISE how the vendor implements it.

Re: 'dacl' option not showing in authorization profile

ping2balaji — Wed, 23 Feb 2022 17:47:59 GMT

Thanks @Karsten Iwen for the clarification.

my vendor support ACLs and they have to be in specific syntax/format. so im writing a intermediate layer which can convert DACLs from cisco ISE during authentication to the ACL format the vendor device understand.

Another intention here to not disturb the existing DACLs configured in cisco acls as we are looking for brownfield deployment with smooth integration into existing network architecture.

So suppose if doctors identityGroup user is connecting through Cisco device then DACLs get downloaded and it will work straightforward. But if the same user(doctor) is connecting through my vendor device, we thought it can still get the DACLs from cisco ISE which are already available and convert into my vendor device format.

As i understand from your reply above is not possible. is that correct?

So i might have to define a new custom AVP in vendor dictionary and define how to encode acls using 5 tuple there so that my vendor device understands. Then create a Network Device Profile using this dictionary to make it work. Is this assumption correct? If yes, we felt the integration won't be smooth as our customer need to define another set of acls for same user in cisco ise for this work. But idea is to leverage DACL feature in cisco ISE for non-cisco vendor. Any suggestion here @Karsten Iwen please?

Thanks,

...Balaji.J

Re: 'dacl' option not showing in authorization profile

thomas — Mon, 07 Mar 2022 04:23:23 GMT

ISE 3.1 is the latest version and you have the full capabilites for 90-days free trial/evaluation after every installation.

Downloadable ACLs are a Cisco-specific feature.

For all other vendors/products (and some Cisco products!) you typically send an Access Control List Name to the network device which already has the ACL preconfigured and ready for assignment when it receives the name from ISE.

Even some Cisco devices do this with Airespace ACL Name or ACL (Filter-ID) .

RADIUS:Filter-ID is the standard way to send an ACL Name.

See > RADIUS or RFC2865

Filter-ID

text

Authentication

The name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet.
Identifying a filter list by name allows the filter to be used on different NASes without regard to filter-list implementation details.

Or there is always