topic Re: Allow/Deny Clients based on Public IP/Location they are using in Cisco SSL VPN using ISE as Radius in Network Access Control

Allow/Deny Clients based on Public IP/Location they are using in Cisco SSL VPN using ISE as Radius

misinsuan2229 — Thu, 28 Mar 2019 04:29:50 GMT

Is there a function in ISE that I can create conditions to allow/deny connecting clients to Anyconnect based on their IP?

Example is I want to block certain IP range to be not allowed to connect to our Anyconnect VPN - using ISE as our radius server?

Re: Allow/Deny Clients based on Public IP/Location they are using in Cisco SSL VPN using ISE as Radius

Mike.Cifelli — Thu, 28 Mar 2019 12:48:57 GMT

removed after re-reading topic

Re: Allow/Deny Clients based on Public IP/Location they are using in Cisco SSL VPN using ISE as Radius

bern81 — Thu, 28 Mar 2019 13:24:44 GMT

Hi,

You can create an inbound ACL and attach it to the ASA outside interface denying the IP ranges you want to Dst any eq tcp and udp 443.

Try this and give us feedback, it may not work because normally you need to enable the below option:

bypass interface access-list for inbound VPN sessions (in ASDM)

sysopt connection permit-vpn (via cli).

Please vote if helpful

Re: Allow/Deny Clients based on Public IP/Location they are using in Cisco SSL VPN using ISE as Radius

Rob Ingram — Thu, 28 Mar 2019 16:26:25 GMT

Hi,
You could use the RADIUS value "Calling-Station-ID" in an ISE Authorization rule to permit/deny access.

As previously suggested you could also create an ACL on the ASA, this must be bound to the outside interface with the option control-plane appended. This is not the same ACL you would use for controlling traffic through the ASA.

E.g:-

access-group ALL_EXCEPT in interface OUTSIDE control-plane

HTH