topic Re: Using ISE to block TOR IP’s from connecting to VPN concentrators in Network Access Control

Using ISE to block TOR IP’s from connecting to VPN concentrators

tgallawa — Tue, 11 Aug 2020 00:05:58 GMT

Is it possible to have ISE block TOR IP's from connecting to an ASA RAVPN?

Re: Using ISE to block TOR IP’s from connecting to VPN concentrators

Colby LeMaire — Tue, 11 Aug 2020 13:13:52 GMT

Best option would be to use the firewall itself to block certain IP's from connecting. Ideally, you would have a "filtering" router at your Internet edge that blocks known bad IP's, RFC 1918 IP's, and your own internal subnet IP's (RFC 2827/BCP 38). That prevents your firewall from having to process a lot of junk, which uses up resources.

If you cannot block on your edge router or firewall, then you could try to look for the "Framed-IP-Address" attribute in your authentication requests and use a Regex to match against your bad list. But that is not ideal or efficient.

Re: Using ISE to block TOR IP’s from connecting to VPN concentrators

Marvin Rhoads — Tue, 11 Aug 2020 14:09:22 GMT

ISE is the wrong solution for that requirement. Ideally have an upstream NGFW/IPS with geoblocking. Or use MFA (like Duo) with geofencing requirements enforced on the MFA client.