topic Re: ISE limit vpn access by client source ip in Network Access Control

ISE limit vpn access by client source ip

judiljak — Wed, 27 Nov 2019 16:04:57 GMT

Hello,
Is it possible to use client ip address to limit vpn access
i.e write authorization policy which would use Cisco-AVPair = "ip:source-ip=ip.add.re.ss"
or Calling-Station-ID to match against defined subnet
As per documentation both are of type string and i am not sure how to write these rules
or is it even possible
https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253
cisco-av-pair 1 The Cisco RADIUS implementation supports one vendor-specific option using the format recommendedin the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named“cisco-avpair.” The value is a string
Calling-Station-ID 31 string 1.0 Authentication
This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.

For sure we can debate on whether this would be an optimal solution, but I'd still like to get an answer.
Thnx

Re: ISE limit vpn access by client source ip

jj27 — Wed, 27 Nov 2019 16:56:28 GMT

I assume your VPN client is AnyConnect? It should send over the source IP as you described as an av-pair attribute.

I just tested this use-case in my lab and it was successful. The policy looks like this:

Attributes sent are:

Re: ISE limit vpn access by client source ip

Mike.Cifelli — Wed, 27 Nov 2019 17:04:30 GMT

As a reference you can utilize the detailed radius live logs to determine the type of string you would need to apply in your condition. For example, you can find the calling-station-id in the detailed log under the authentication section on the left side. This will either be an IP or if using mab you will see the client mac in a hyphen-hex format of AA-AA-AA-AA-AA-AA. Not to debate with you, but there are definitely better ways of limiting vpn access via other condition types. I think the issue with using the calling station id is that remote users are probably obtaining an ip address dynamically on whatever wireless connection they have meaning that it will always change and could become an admin nightmare. Unless you know that the IP is never changing. However, keep in mind I know nothing about your setup such as whether or not it is clientless, or client vpn etc. etc. Good luck & HTH!

Re: ISE limit vpn access by client source ip

judiljak — Wed, 27 Nov 2019 20:39:37 GMT

Thnx, but
Maybe I wasn't that clear or overlooked your answer somehow
Anyway, ASA (vpn gatewa) is indeed sending those attributes that is not in question.
What's puzzling me is how can I match src ip to a known subnet say /21
Obviously it is impossible to write rules with all those ip addresses and use
EQ string operator
Probably one would neet to cast it to address type and somehow match if it belongs to
a subnet

Re: ISE limit vpn access by client source ip

andrewswanson — Wed, 27 Nov 2019 21:05:40 GMT

You can specify the subnet you want to match in an Endstation Network Condition under Policy > Policy Elements > Conditions > Network Conditions.

I've used this method in the past as a Policy condition - not sure if Endstation Network Conditions can be used as an Authorization condition.

hth
Andy

Re: ISE limit vpn access by client source ip

jj27 — Wed, 27 Nov 2019 21:26:33 GMT

You could probably match using a RegEx in the condition. What is the subnet you are trying to match on?