Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Is it possible to do a dACL with a variable?

This thread has been viewed 1 times

  • 1.  Is it possible to do a dACL with a variable?

    Posted Aug 06, 2015 01:23 PM
    I is it possible to do a dACL with a variable?
     
    I wanted to do a dACL where the hostname / IP comes-out of AD.  We mocked it up in Policy simulation and it works fine!  
     
    permit ip any %{Authorization:AD:Attribute} 
    yields
    permit ip any 10.10.0.1
     
    The problem is that  in production (as I understand it), the enforcmenet profile sends the dACL to the ASA, ASA says it doesn't have a copy of that ACL and sends a requiest to CPPM to build it.
     
    THAT request, the #ACSACL#, builds the Cisco-AVPair, but it doesn't come-over with any identifying attributes to tie-back to the authorization source so Iit can't use the variable the second time.
     
    Cisco-AVPair = ip:inacl#1=permit ip any %{Authorization:AD:Attribute} 
     
    It puts my variable tag in, not the value. presumably because it doesn't know this authorization source in the dACL procesisng.
     
    Is there another way to get where I'm going?


  • 2.  RE: Is it possible to do a dACL with a variable?

    Posted Aug 07, 2015 01:11 PM

    Nope.  Feature Request submitted.