Solved: Translation of Pulsesecure - Windows AD security policy to Cisco ISE for VPN access

rgonzalezsanchez · ‎02-16-2019

Hi guys,

I need advise, I'm in a project where I have to replace a pulsesecure platform with two firepowers 2110 and an ISE controller. At first it didn't seem very dificult but when I started looking closely at the Pulsesecure policy I noticed that they have about 80 rols mapped to windows AD groups and that each user has a diferent combination of groups to make his access policy. I know that ISE 2.3 (my version) doesn't support merging multiple DACLs based on matching different combinations of windows groups so my question is, is there any other way to attack this problem rather than making as many dacl / results / rules as the combination of all the windows grups used by the users? This solution, in addition to being a hugh amount of work will be a manteinance nightmare. Thanks for your help.

hslai · ‎02-16-2019

You are correct the new policy set UI in ISE 2.3+ not currently support multi-match for such use cases and I am not aware of any workaround unless using ISE 2.2 or earlier.

Perhaps you may use Dynamic Access Policy (DAP) ACL Aggrega... - Cisco Community if using ASA code.

View solution in original post

hslai · ‎02-16-2019

You are correct the new policy set UI in ISE 2.3+ not currently support multi-match for such use cases and I am not aware of any workaround unless using ISE 2.2 or earlier.

Perhaps you may use Dynamic Access Policy (DAP) ACL Aggrega... - Cisco Community if using ASA code.

tuan-nguyen · ‎09-13-2022

Hi,

could you please tell me what are the steps do we needs to replace the pulse secure platform for the firepower? do you any documents to read about this?