cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
0
Helpful
2
Replies

Cisco ISE 2.3 Posture anyconnect and per-use ACL for compliant users

amsrus
Level 1
Level 1

Hello all.

I have one problem with my ISE 2.3. I have made base configure ISE Posture for anyconnect. I have three authorization profile - Unknown_ users, NON_Compliant_users and Compliant users. If i see that system scan is OK tnen all comliant users get dacl. My question is how can i get different dACL or ACL each user or user group (for example Active Directory Group).

Thank you very much in advance.

1 Accepted Solution

Accepted Solutions

Hi,
That's relatively straight forward. You will need to ensure ISE is joined to the AD domain, once joined import the groups you wish to use for authorisation (Administration > Identity Management > Active Directory > YOUR-AD-DOMAIN > Groups). Once these groups have been imported to ISE go to the Policy Set, duplicate your Compliant Users policy and add a condition such as:
Session:Posture Status EQUALS Compliant AND YOUR-AD-DOMAIN:ExternalGroups EQUALS Domain Users. Then add the correct permission to apply your DACL

Duplicate again and change the ExternalGroups EQUALS to be another group, when the user is authorised it should hit the correct rule.

HTH

View solution in original post

2 Replies 2

Hi,
That's relatively straight forward. You will need to ensure ISE is joined to the AD domain, once joined import the groups you wish to use for authorisation (Administration > Identity Management > Active Directory > YOUR-AD-DOMAIN > Groups). Once these groups have been imported to ISE go to the Policy Set, duplicate your Compliant Users policy and add a condition such as:
Session:Posture Status EQUALS Compliant AND YOUR-AD-DOMAIN:ExternalGroups EQUALS Domain Users. Then add the correct permission to apply your DACL

Duplicate again and change the ExternalGroups EQUALS to be another group, when the user is authorised it should hit the correct rule.

HTH

RJI thank you very much. I did the same as you said. But I forgot that i need to duplicate other policies to (Non Compliant, unknown) and add it to my domain groups. Now it is working well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: