Navigate to Administration > Identity Management > Settings > User Custom Attributes. Click the + button, as shown in the image, to add a new attribute and save
11 pages
80 KB – 11 Pages
PAGE – 1 ============
Configure Per-User Dynamic Access ControlLists in ISE ContentsIntroductionPrerequisitesRequirementsComponents UsedConfigureConfigure a New Custom User Attribute on ISEConfigure dACLConfigure an Internal User Account with the Custom AttributeConfigure a AD User Account€Import the Attribute from AD to ISE€Configure Authorization Profiles for Internal and External UsersConfigure Authorization PoliciesVerifyTroubleshootIntroductionThis document describes the configuration of a per-user Dynamic Access Control List (dACL)for€users present in either the ISE internal identity store or an external identity store.€PrerequisitesRequirementsCisco recommends that you have knowledge of policy configuration on Identity Services Engine(ISE).Components UsedThe information in this document is based on these software and hardware versions:€Identity Services Engine 3.0l€Microsoft Windows Active Directory 2016lThe information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.Configure
PAGE – 2 ============
Per-user dACL can be configured for any user in the internal store using a custom user attribute.For a user in the Active Directory (AD), any attribute of type string can be used to achieve thesame. This section provides information required to configure the attributes both on ISE and ADalong with the configuration required on ISE for this feature to work.€Configure a New Custom User Attribute on ISENavigate to€Administration > Identity Management > Settings > User Custom Attributes.Click the + button, as shown in the image, to add a new attribute and save the changes. In thisexample, the name of the custom attribute is€ACL.Configure dACLIn order to configure downloadable ACLs, navigate to€Policy > Policy Elements > Results >Authorization > Downloadable ACLs. Click€Add. Provide a name, content of the dACL and savethe changes. As shown in the image, the name of the dACL is€NotMuchAccess.
PAGE – 3 ============
Configure an Internal User Account with the Custom AttributeNavigate to€Administration > Identity Management > Identities > Users > Add. Create a userand configure the custom attribute value with the name of the dACL that the user needs to getwhen authorized. In this example, the name of the dACL is€NotMuchAccess.€
PAGE – 4 ============
Configure a AD User Account€On the Active Directory, navigate to the user account properties and then on to the AttributeEditor tab. As shown in the image, aCSPolicyName€is the attribute used to specify the dACLname. However, as mentioned earlier, any attribute which can accept a string value can be usedas well.
PAGE – 5 ============
Import the Attribute from AD to ISE€To use the attribute configured on AD, ISE needs to import it. In order to import the attribute,navigate to€Administration > Identity Management > External Identity Sources > ActiveDirectory > [Join point configured] > Attributes tab. Click Add and then Select AttributesFrom Directory.€Provide the user account name on the AD and then click RetreiveAttributes.€Select the attribute configured for the dACL, click OK and then click Save. As shownin the image, aCSPolicyName is the attribute.
PAGE – 6 ============
Configure Authorization Profiles for Internal and External UsersIn order to configure Authorization Profiles, navigate to€Policy > Policy Elements > Results >Authorization > Authorization Profiles. Click€Add. Provide a name and choose the dACL nameas InternalUser:
PAGE – 8 ============
Configure Authorization PoliciesAuthorization policies can be configured at€Policy > Policy Sets based on the groups in which theexternal user is present on the AD and also based on the username in the ISE internal identitystore. In this example, testuserexternal is a user present in the group rinsantr.lab/Users/TestGroup and testuserinternal is a user present in the ISE internal identity store.
PAGE – 9 ============
VerifyUse this section to verify if the configuration works.Check the RADIUS live logs to verify the user authentications.Internal user:External user:Click the magnifying glass icon on the successful user authentications to verify if the requests hitthe correct policies in the Overview section of the detailed live logs.Internal user:External user:
PAGE – 10 ============
Check the Other Attributes€section of the detailed live logs to verify if the user attributes havebeen retrieved.Internal user:External user:Check the€Result section of the detailed live logs to verify if the dACL attribute is being sent as apart of Access-Accept.
PAGE – 11 ============
Also, check the RADIUS live logs to verify if the dACL is downloaded after the user authentication.Click the magnifying glass icon on the successful€dACL download log and verifythe€Overview€section to confirm the dACL download.Check the€Result€section of the this detailed report to verify the contents of the dACL.TroubleshootThere is currently no specific troubleshooting information available for this configuration.
80 KB – 11 Pages