Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
717
Views
10
Helpful
2
Replies

Are Dynamic Access Policies (DAP) on the ASA a moot point when using ISE?

Go to solution
mitchell helton
Level 1
Level 1

‎07-11-2019 05:40 AM

Hey guys!

Wasn't sure if this belonged in the ISE or Firewall forums... anyway...

As they subject says, do DAPs even matter if ISE is the AAA server?  I currently have a handful of DAPs and got to thinking - since ISE is in charge of authc/authz now, do I even need any DAPs?  I'm only using them to push down ACLs and verify group membership via LDAP attribute maps.  Wondering if I can just remove them all and edit the default policy to "continue" (as opposed to "terminate").  Am I missing something?

Thoughts?

 

Thanks!!

mitch

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎07-11-2019 06:03 AM

You aren't missing anything.  I always have customers strip out all the DAPs when I implement ISE and we control everything from ISE.  Using ISE allows for central control of policies instead of having to managed DAPs on the ASAs.

View solution in original post

2 Replies 2

Go to solution
paul
Level 10
Level 10

‎07-11-2019 06:03 AM

You aren't missing anything.  I always have customers strip out all the DAPs when I implement ISE and we control everything from ISE.  Using ISE allows for central control of policies instead of having to managed DAPs on the ASAs.

Go to solution
mitchell helton
Level 1
Level 1
In response to paul

‎07-11-2019 06:08 AM

Perfect!  Thank you Paul!

 

0 Helpful
Customers Also Viewed These Support Documents