https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584011#M539242 <HTML><HEAD></HEAD><BODY><P>Robert, it is not possible with current condition set on ISE as you described. Have you looked into whether ASA can define different profiles or VLANs based on their source IP address?</P><P></P><P>Hosuk</P></BODY></HTML> Fri, 08 Apr 2016 15:10:23 GMT howon 2016-04-08T15:10:23Z https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584010#M539240 <HTML><HEAD></HEAD><BODY><P>I am looking for a way to use the IP address of the endpoint in an AuthZ policy.&nbsp; I could use Radius-Framed-IP-Address, but the only option is "Equals" or "Not Equal To" and does not give me things like "Starts with".&nbsp; Network Access - Device IP Address has the same issue.</P><P></P><P>How would we go about using the endpoint address in a policy?&nbsp; The particular use case is around internal vs external VPN connections and using the source address as the way to determine the origin of the VPN connection.</P><P></P><P>Any guidance is appreciated.</P><P></P><P>Thanks!</P><P></P><P>Bob</P></BODY></HTML> Thu, 07 Apr 2016 19:38:00 GMT https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584010#M539240 bperciac 2016-04-07T19:38:00Z https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584011#M539242 <HTML><HEAD></HEAD><BODY><P>Robert, it is not possible with current condition set on ISE as you described. Have you looked into whether ASA can define different profiles or VLANs based on their source IP address?</P><P></P><P>Hosuk</P></BODY></HTML> Fri, 08 Apr 2016 15:10:23 GMT https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584011#M539242 howon 2016-04-08T15:10:23Z https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584012#M539243 <HTML><HEAD></HEAD><BODY><P>Hi Bob, have you considered using tunnel groups on the ASA use case instead of IP address?&nbsp; That way you can match on Tunnel-Group-Name in the AuthZ policy to provide differentiated results.</P><P></P><P>Sample:</P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/94445_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>George</P></BODY></HTML> Fri, 08 Apr 2016 16:50:10 GMT https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584012#M539243 gbekmezi-DD 2016-04-08T16:50:10Z https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584013#M539244 <HTML><HEAD></HEAD><BODY><P>Public IP address of the client is sent by the ASA in Calling-Station-ID attribute. You will be able to use all the normal operands on that in ISE.</P><P>Framed-IP-Address stores the assign IP address from the VPN pool.</P></BODY></HTML> Fri, 08 Apr 2016 18:51:12 GMT https://community.cisco.com/t5/network-access-control/using-endpoint-ip-address-as-an-authz-condition/m-p/3584013#M539244 vibobrov 2016-04-08T18:51:12Z