Re: ISE ACL merging?

peter-marcek · ‎06-01-2012

Hello all,

I would like ask you about some technology help ..

Customer would like create policy model for remote-access services based on „roles“. For example :

User1 is member of GroupA in LDAP and is member of GroupB as well.

Security GroupA specify access to some resources (can be represented as ACL, ACL-A), security GroupB is represented as other pool of resources (as well can be represented as ACL, for example ACL-B).

Final status is, if VPN client will connect, he will get authorization based on both ACL-A and ACL-B.

How can we dynamicaly provide „merging“ of ACLs ?

ACL merging can’t be provided manualy, because there can be more then 2 security groups and there are more VPN users, which can have various combination of security groups membership.

Thanks a lot for your help,

Regards,

Peter

Darius · ‎09-05-2017

Hi

Did you found any solution ?

Marvin Rhoads · ‎09-05-2017

You can only apply a single Authorization Result for a given Authorization Profile.

You could create separate custom results and have the profile check for the various combinations and permutations of groups to which a user belongs. That could quickly get out of hand though as there are potentially n*(n-1) of those.

Darius · ‎09-05-2017

Hi,

Main challange I have that I need to implement multimatch of AD groups. Like user 1 belongs to A and B group and user 2 to B group and gets access correspondingly. There will be alot of users and conbinations of access, so I can't define all the conditions. I can't see any option on ISE to do that..

Marvin Rhoads · ‎09-06-2017

I am wondering how do they restrict access for those users when they are connected locally?