https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3766752#M487026 It should be client's physical NIC ip (or mac address?) since the VPN connection is not complete and the tunnel IP would not have been assigned. Wed, 19 Dec 2018 15:37:17 GMT Surendra 2018-12-19T15:37:17Z https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3764660#M487022 <P>Hi there,&nbsp;</P> <P>&nbsp;</P> <P>A customer with requirement to return different&nbsp;AUTHZ policy in ISE based on location from ASA remote VPN.</P> <P>What is the best way to achieve this?</P> <P>&nbsp;</P> <P>Thanks</P> <P>Wing Churn</P> Sun, 16 Dec 2018 23:10:35 GMT https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3764660#M487022 wileong 2018-12-16T23:10:35Z https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3764665#M487023 <P>In case the location is that of an ASA headend, then we may set the NAD to a specific location in ISE configuration and use that info for authorization.</P> <P>In case the location is the geo-location&nbsp;of a remote access VPN session, we may use the calling-station-ID RADIUS attribute as conditions. ISE is not currently supporting to perform a lookup for geo-location info of a remote access client so the conditions would likely need set explicitly.</P> <P>Additionally...</P> <P><A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046" target="_blank">Marvin Rhoads</A> mentioned a solution using IPS --&nbsp;<A href="https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication" target="_blank">The new model&nbsp;ASA (5500-X - Cisco Community</A></P> <P><A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/325766" target="_blank">Karsten Iwen</A>&nbsp;suggested using DAP --&nbsp;<A href="https://community.cisco.com/t5/firewalls/can-cisco-asa-locate-anyconnect-geographically-and-block-access/m-p/2254852/highlight/true#M112451" target="_blank">Re: Can CISCO ASA locate anyconnect geo... - Cisco Community</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 16 Dec 2018 23:33:22 GMT https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3764665#M487023 hslai 2018-12-16T23:33:22Z https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3766460#M487025 <P>Hi Hsing,</P> <P>&nbsp;</P> <P>Thanks for the tip, follow up question on the suggestion. Is calling-station-ID appear as private IP of the AnyConnect real client IP in ISE or the egress IP of the client?</P> <P>&nbsp;</P> <P>Thanks</P> <P>Wing Churn</P> Wed, 19 Dec 2018 08:09:48 GMT https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3766460#M487025 wileong 2018-12-19T08:09:48Z https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3766752#M487026 It should be client's physical NIC ip (or mac address?) since the VPN connection is not complete and the tunnel IP would not have been assigned. Wed, 19 Dec 2018 15:37:17 GMT https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3766752#M487026 Surendra 2018-12-19T15:37:17Z https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3768123#M487028 <P>It's the external gateway IP address, usually the one from the ISP, that used to contact the RA-VPN head-end.</P> <P>For example, in [ client -- home router -- Internet -- RA-VPN ], the internet facing IP address of the home router.</P> Sat, 22 Dec 2018 00:41:22 GMT https://community.cisco.com/t5/network-access-control/location-based-authorization/m-p/3768123#M487028 hslai 2018-12-22T00:41:22Z