I is it possible to do a dACL with a variable?
I wanted to do a dACL where the hostname / IP comes-out of AD. We mocked it up in Policy simulation and it works fine!
permit ip any %{Authorization:AD:Attribute}
yields
permit ip any 10.10.0.1
The problem is that in production (as I understand it), the enforcmenet profile sends the dACL to the ASA, ASA says it doesn't have a copy of that ACL and sends a requiest to CPPM to build it.
THAT request, the #ACSACL#, builds the Cisco-AVPair, but it doesn't come-over with any identifying attributes to tie-back to the authorization source so Iit can't use the variable the second time.
Cisco-AVPair = ip:inacl#1=permit ip any %{Authorization:AD:Attribute}
It puts my variable tag in, not the value. presumably because it doesn't know this authorization source in the dACL procesisng.
Is there another way to get where I'm going?