Security

Reply
New Contributor

Is it possible to do a dACL with a variable?

I is it possible to do a dACL with a variable?
 
I wanted to do a dACL where the hostname / IP comes-out of AD.  We mocked it up in Policy simulation and it works fine!  
 
permit ip any %{Authorization:AD:Attribute} 
yields
permit ip any 10.10.0.1
 
The problem is that  in production (as I understand it), the enforcmenet profile sends the dACL to the ASA, ASA says it doesn't have a copy of that ACL and sends a requiest to CPPM to build it.
 
THAT request, the #ACSACL#, builds the Cisco-AVPair, but it doesn't come-over with any identifying attributes to tie-back to the authorization source so Iit can't use the variable the second time.
 
Cisco-AVPair = ip:inacl#1=permit ip any %{Authorization:AD:Attribute} 
 
It puts my variable tag in, not the value. presumably because it doesn't know this authorization source in the dACL procesisng.
 
Is there another way to get where I'm going?
New Contributor

Re: Is it possible to do a dACL with a variable?

Nope.  Feature Request submitted.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: