topic Re: ISE - Multiple dACL in Network Access Control

ISE - Multiple dACL

mjrduarte — Tue, 25 Oct 2022 16:55:19 GMT

Hi,

I have a scenario where ISE controls VPN access from a ASA.
Each user belongs to a certain AD group, and I want to configure different Authorization Profiles based on membership.
Those profiles push dACL to the client.

My question is if it's possible for a client to receive more than one dACL.
I have several ACLs that are common to everyone (like DNS resolution, or AD authentication).
I tried to add more than one Profiles on the Authorization Profile in the Policy Set, but it seems that only one gets pushed.

Thanks in advance for any help.

Re: ISE - Multiple dACL

Rob Ingram — Tue, 25 Oct 2022 17:04:44 GMT

@mjrduarte only one DACL would be applied to a session. You'd have to create additional DACLs that combine all the rules that you want to apply.

Re: ISE - Multiple dACL

Karsten Iwen — Tue, 25 Oct 2022 17:05:44 GMT

I never tested it but I am pretty sure that this is the expected behaviour. You need to build "complete" ACLs for each context.

Re: ISE - Multiple dACL

mjrduarte — Tue, 25 Oct 2022 17:12:28 GMT

That's... A lot of work...
Thank you for your help.