Remote Access VPN with dACL tied to internal users... with CoA

hnohre · ‎10-13-2017

Customer has migrated from older versions of ACS, and has a number of dACLs defined (600).

These dACLs are tied to internal user database per user (3000 users sharing the 600 dACLs).

They then migrated to ISE - ok.

Now they want to add posture for RA VPN. It worked for normal AAA..

But when they tried to add posture it breaks, because the CoA seems not not work applying dACLs via ACLs

tied to the internal user database.

TAC says this not supported.

I am looking for creative workarounds, to still be able to leverage the configuration of 600 dACLs tied to useres

in the internal ISE database.

hslai · ‎10-13-2017

CSCuz97727 is an enhancement on this area and addressed in ISE 2.0 Patch 4, 2.1 Patch 1 and 2, and 2.2 on-wards. Please check whether your customer deployment is in one of the releases and patch levels with this enhancement.

Hmm. is this only not working after CoA? CoA-push for posture use case?

hnohre · ‎10-13-2017

Hi Hsing

This is the same thing - but only almost.

For the customer it works for the first authz - putting it into “Not-Compliant Posture” state.

It is the with the CoA (after posture compliance) where the internal dACL does not work!

Would you say it is a bug if the dACL can be applied during first auth, but not after CoA?

Regards

Hakan

hslai · ‎10-21-2017

Since we discussing this with TAC and the teams, and since my recreate (info attached) showing it working OK, I am closing this thread.