topic Re: ISE ACL merging? in Network Security

ISE ACL merging?

peter-marcek — Fri, 21 Feb 2020 12:39:41 GMT

Hello all,

I would like ask you about some technology help ..

Customer would like create policy model for remote-access services based on „roles“. For example :

User1 is member of GroupA in LDAP and is member of GroupB as well.

Security GroupA specify access to some resources (can be represented as ACL, ACL-A), security GroupB is represented as other pool of resources (as well can be represented as ACL, for example ACL-B).

Final status is, if VPN client will connect, he will get authorization based on both ACL-A and ACL-B.

How can we dynamicaly provide „merging“ of ACLs ?

ACL merging can’t be provided manualy, because there can be more then 2 security groups and there are more VPN users, which can have various combination of security groups membership.

Thanks a lot for your help,

Regards,

Peter

Re: ISE ACL merging?

Darius — Tue, 05 Sep 2017 11:14:33 GMT

Hi

Did you found any solution ?

Re: ISE ACL merging?

Marvin Rhoads — Tue, 05 Sep 2017 17:55:30 GMT

You can only apply a single Authorization Result for a given Authorization Profile.

You could create separate custom results and have the profile check for the various combinations and permutations of groups to which a user belongs. That could quickly get out of hand though as there are potentially n*(n-1) of those.

Re: ISE ACL merging?

Darius — Wed, 06 Sep 2017 06:46:33 GMT

Hi,

Main challange I have that I need to implement multimatch of AD groups. Like user 1 belongs to A and B group and user 2 to B group and gets access correspondingly. There will be alot of users and conbinations of access, so I can't define all the conditions. I can't see any option on ISE to do that..

Re: ISE ACL merging?

Marvin Rhoads — Wed, 06 Sep 2017 13:48:39 GMT

I am wondering how do they restrict access for those users when they are connected locally?