This document describes the configuration of a per-user Dynamic Access Control List (dACL) for users present in either the internal identity store or an external identity store.
Cisco recommends that you have knowledge of policy configuration on Identity Services Engine (ISE).
The information in this document is based on these software and hardware versions:
Identity Services Engine version 2.2
Microsoft Windows Active Directory 2012 R2
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Per-user dACL can be configured for any user in the internal store using a custom user attribute. For a user in the Active Directory (AD), any attribute of type string can be used to achieve the same. This section provides information required to configured to configure the attributes both on the ISE and the AD along with the configuration required on the ISE for this feature to work.
Configure a New Custom User Attribute on ISE
Navigate to Administration > Identity Management > Settings > User Custom Attributes. Click the green + button, as shown in the image, to add a new attribute and save the changes. In this example, the name of the custom attribute is ACL.
In order to configure downloadable ACLs, navigate to Policy > Policy Elements > Results > Authorization > Downloadable ACLs. Click Add. Provide a name, content of the dACL and save the changes. As shown in the image, the name of the dACL is NotMuchAccess.
Configure an Internal User Account with the Custom Attribute
Navigate to Administration > Identity Management > Identities > Add. Create a user and configure the custom attribute value with the name of the dACL that the user needs to get when authorized. In this example, the name of the dACL is NotMuchAccess.
Configure a AD User Account
On the Active Directory, navigate to the user account properties and then on to the Attribute Editor. As shown in the image, aCSPolicyName is the attribute used to specify the dACL name. However, as mentioned earlier, any attribute which can accept a string value can be used as well.
Import the Attribute from AD to ISE
To use the attribute configured on the AD, ISE needs to import it. In order to import the attribute, navigate to Administration > Identity Management > External Identity Sources > Active Directory > [Join point configured] > Attributes. Click Add and then Select Attributes from Directory. Provide the user account name on the AD and then click Retreive Attributes. Select the attribute configured for the dACL, click OK and then click Save. As shown in the image, aCSPolicyName is the attribute.
Configure Authorization Profiles for Internal and External Users
In order to configure Authorization Profiles, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Click Add. Provide a name and choose the dACL name as IntenalUser:<name of custom attribute created> for internal user. As shown in the image, for internal user, the profile InternalUserAttributeTest is configured with the dACL configured as InternalUser:ACL.
For external user, use <Join point name> : <attribute configured on AD> as the dACL name. In this example, the profile ExternalUserAttributeTest is configured with the dACL configured as TEST:aCSPolicyName where TEST is the Join point name.
Configure Authorization Policies
Authorization policies can be configured at Policy > Authorization based on the groups in which the external user is present on the AD and also based on the username in the internal identity store. In this example, testuserexternal is a user present in the group gce.iselab.local/Builtin/Users and testuserinternal is a user present in the internal identity store.
Use this section to verify if the configuration works.
Check the livelogs to verify the user authentications.
Click the magnifying glass icon on the suceesful user authentications to verify if hit the correct policies in the overview section of the report.
Check the Other Attributes section of the livelogs to verify if the user attributes have been retrieved.
Check the Result section to verify if the dACL attribute is being sent as a part of Access-Accept.
Check the Livelogs to verify if the dACL is downloaded after the user authentication.
Click the magnifying glass icon on the suceesful dACL download log and verify the Overview section to confirm the dACL download.
Check the Result section of the report to verify the contents of the dACL.
There is currently no specific troubleshooting information available for this configuration.