05-10-2020 02:17 PM
Hi everyone. I can't find a concrete answer to this one.
I have a Firepower 2130 with FTD, and an ISE server and I need to assign different permissions per user group.
The only approach I've seen that's supported is by sending an attribute from ISE that controls the Group Policy on the Firewall.
Question time:
1. Is this the only method? I saw DACL but apparently it's only supported on ASA. Isn't there an option to send the "Access List Filter" as defined on the Group Policy?
2. Whatever the method that works, what should be the av-pair that I need to send from ISE to FTD?
Thanks for your time.
05-10-2020 02:57 PM
Hi,
DACLs are supported on FTD, certainly from 6.4 onward.
You would just need to define multiple DACLs, reference these in unique Authorisation Profiles. In the policy set define multiple Authorisation rules, match on the unique AD groups and apply the unique Authorsation Profile.
Alternatively you could use TrustSec SGTs, apply a unique SGT per user AD group (it's more complex than DACLs however). Reference guide here.
HTH
05-10-2020 03:29 PM
05-10-2020 03:37 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide