05-21-2020 01:36 PM
I'm having a weird issue with DACLS for users that VPN in and belong to specific AD groups:
Ultimately I have a DACL that I want assigned to users with a certain AD group membership when they hit our ASA via SSL VPN. My tunnel group uses ISE for authorization and it's configured as a Radius server. On ISE, I have the ASA in my device list and have a policy that points users that belong to a certain AD group known to ISE to an authorization profile that has my DACL tied to it. I know communication between ISE and ASA is present by looking at my radius logs. The funnything is if I try using ISE as my authentication server (which I don't plan to, I have another server for that) I can't login to VPN but get the DACL in the logs. If I do not use ISE for authC and purely use it for authZ, I can access the vpn fine, I just don't get the DACL.
Anybody got tips on what i'm missing?
ISE 2.6
Solved! Go to Solution.