06-01-2012 02:21 AM - edited 02-21-2020 04:39 AM
Hello all,
I would like ask you about some technology help ..
Customer would like create policy model for remote-access services based on „roles“. For example :
User1 is member of GroupA in LDAP and is member of GroupB as well.
Security GroupA specify access to some resources (can be represented as ACL, ACL-A), security GroupB is represented as other pool of resources (as well can be represented as ACL, for example ACL-B).
Final status is, if VPN client will connect, he will get authorization based on both ACL-A and ACL-B.
How can we dynamicaly provide „merging“ of ACLs ?
ACL merging can’t be provided manualy, because there can be more then 2 security groups and there are more VPN users, which can have various combination of security groups membership.
Thanks a lot for your help,
Regards,
Peter
09-05-2017 04:14 AM
09-05-2017 10:55 AM
You can only apply a single Authorization Result for a given Authorization Profile.
You could create separate custom results and have the profile check for the various combinations and permutations of groups to which a user belongs. That could quickly get out of hand though as there are potentially n*(n-1) of those.
09-05-2017 11:46 PM
Hi,
Main challange I have that I need to implement multimatch of AD groups. Like user 1 belongs to A and B group and user 2 to B group and gets access correspondingly. There will be alot of users and conbinations of access, so I can't define all the conditions. I can't see any option on ISE to do that..
09-06-2017 06:48 AM
I am wondering how do they restrict access for those users when they are connected locally?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide