Solved: That was also my guess, I

joergdillge · ‎03-04-2016

Hello,

maybe someone can help me with this:

I would like to assign a dacl from an attribute I get from the AD user object that is being authorized.

So for example, I configure "ACL-test" in ISE, the same name is assigned to an AD user.

Now I want to assign this ACL in an Authorization Profile with the value I get from the AD attribute.

Under Authorization Profiles, I cannot assign an AD attribute du the "DACL Name" in Common Tasks.

Does anyone have an idea how to do this with ISE 2.0?

Thanks,

Joerg

jan.nielsen · ‎03-04-2016

I doubt you can do that, you would have to use the AD attribute as a condition in the authz rules, and then match that with an authorization profile, that then contains your DACL setting. This of course means you will need one rule per different DACL you wan't to use.

View solution in original post

jan.nielsen · ‎03-04-2016

I doubt you can do that, you would have to use the AD attribute as a condition in the authz rules, and then match that with an authorization profile, that then contains your DACL setting. This of course means you will need one rule per different DACL you wan't to use.

joergdillge · ‎03-07-2016

That was also my guess, I hoped there will be some way around this.

For now, I will configure the ACLs on the ASA and assign them via Radius:Filter-ID = "AD-Attribute of choice" in the authorization profile.

ISE 2.0 - DACL assignment from Active Directory