Thanks for the response @Karsten Iwen .

Attached the screenshot of authz profile for your reference.

I am using cisco ise-eval edition R3.1. Does that makes any difference like evaluation version does not support dacl or something?

Also i have tried applying dacl as shown below as a workaround for my test purpose:

"Navigate to Administration > Identity Management > Identities > Users > Add. Create a user and configure the custom attribute value with the name of the dACL that the user needs to get when authorized"

The new user i have created got authN success with Access-Accept message but it does not contain this custom-attribute dacl AVP in that msg. Any input here as well will help. 

Thanks,

...Balaji.J

Your chosen "Network Device Profile" does not support DACLs. What kind of devices are you using? Do they support DACLs?

Yes @Karsten Iwen , the network device profile which i have chosen is our custom profile pointing to our x86-based nas-server with radius-client in it and we are planning to use dacl in our own way. Is it like cisco-ise will send dacl only to known/predefined set of network-devices-profiles like HP/Aruba/Cisco/Ruckus ??

Update:

i have tried changing network-device-profile to Cisco, then i could see "DACL name" option under 'common tasks' in authz profile creation. Attached here the screenshot for reference. When i change the network-device-profile to anything other than Cisco , then the dacl option vanishes. Does this mean this dacl feature will work only for cisco devices? If i want to make dacl work for devices other than Cisco, is there some configuration i need to enable while creating new device-profile/device-group or adding device itself?

Hi @tjezer , so is it right to assume dacl feature is only for cisco network devices and does not work with any other vendor devices?

It's not that it is only Cisco, but it is not a standard-feature. A vendor has to build its devices to support DACLs. Look at your vendor documentation if they do and if yes, you need to build your own Network device profile to "tell" the ISE how the vendor implements it.

Thanks @Karsten Iwen for the clarification.

my vendor support ACLs and they have to be in specific syntax/format. so im writing a intermediate layer which can convert DACLs from cisco ISE during authentication to the ACL format the vendor device understand.

Another intention here to not disturb the existing DACLs configured in cisco acls as we are looking for brownfield deployment with smooth integration into existing network architecture.

So suppose if doctors identityGroup user is connecting through Cisco device then DACLs get downloaded and it will work straightforward. But if the same user(doctor) is connecting through my vendor device, we thought it can still get the DACLs from cisco ISE which are already available and convert into my vendor device format. 

As i understand from your reply above is not possible. is that correct?

So i might have to define a new custom AVP in vendor dictionary and define how to encode acls using 5 tuple there so that my vendor device understands. Then create a Network Device Profile using this dictionary to make it work. Is this assumption correct? If yes, we felt the integration won't be smooth as our customer need to define another set of acls for same user in cisco ise for this work. But idea is to leverage DACL feature in cisco ISE for non-cisco vendor. Any suggestion here @Karsten Iwen  please?

Thanks,

...Balaji.J

Hi @Mike.Cifelli , 

I am using R3.1.0.518 Cisco-Evaluation version. Is there any limitation in eval?

Can you please clarify?

I am using chrome and also tried in ms-edge. Both places same issue.

Thanks,

...Balaji.J