Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3829
Views
5
Helpful
4
Replies

Dymanic Filter-ID in ISE

Go to solution
Jozef Cmorej
Level 1
Level 1

‎04-03-2018 03:46 AM - edited ‎02-21-2020 10:52 AM

Hello community,

I would like to ask you if it's possible to use a dynamic Filter-ID attribute in ISE. Our customer is applying different access control for VPN users using a custom attribute called Filter-ID on ACS 5.8. Using this attribute it is possible to use only one authorization profile and assign specific per user ACL configured on the firewalls.

aaa.jpg

Does ISE support this functionality?

 

As far as i know, it is possible to configure ISE to deploy per User dACL present in either the internal identity store or an external identity store. 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html

 

What if firewalls do not support dACL functionality? Which option could we use to follow the same functionality on ISE without need of creating a bunch of new authorization profiles?

 

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to Jozef Cmorej

‎04-04-2018 12:27 PM

Correct, the built in common task "filter-id" option in ISE, can't be used with anything other than static text. But you should be able to use for example an internal user attribute or AD user attribute as the source for the content, if you add the av-pair manually. Just add filter-id attribute under the advanced attribute settings of the authz profile, in the example i added a custom attribute to internal users, but any string type attribute should do. Jan

View solution in original post

Preview file
24 KB
4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎04-03-2018 09:20 PM

Its a pre-defined attribute in ISE and can be assigned using authorization
profiles.
0 Helpful

Go to solution
Jozef Cmorej
Level 1
Level 1
In response to Mohammed al Baqari

‎04-03-2018 09:29 PM

Thanks for you reply.
As far as I know you can assign this attribute as a result of the authorization profile only as a static value, not dynamically using a local or AD user's custom attribute, right?
0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Jozef Cmorej

‎04-04-2018 12:27 PM

Correct, the built in common task "filter-id" option in ISE, can't be used with anything other than static text. But you should be able to use for example an internal user attribute or AD user attribute as the source for the content, if you add the av-pair manually. Just add filter-id attribute under the advanced attribute settings of the authz profile, in the example i added a custom attribute to internal users, but any string type attribute should do. Jan
Preview file
24 KB

Go to solution
Jozef Cmorej
Level 1
Level 1
In response to jan.nielsen

‎04-04-2018 01:01 PM

Thanks Jan, that's exactly what I was looking for.
0 Helpful
Customers Also Viewed These Support Documents