topic White list remote devices on ISE without certificates in Network Access Control

White list remote devices on ISE without certificates

ARQA-netadmin — Wed, 14 Apr 2021 09:50:26 GMT

Is there any way to configure some authorization policy on ISE in which you can define a whitelist of remote devices that are allowed to build VPN. As an option, obtaining a some unique id from a remote device. The method with certificates is not suitable.

Re: White list remote devices on ISE without certificates

Mike.Cifelli — Wed, 14 Apr 2021 12:40:57 GMT

IMO you have several options here that you should test to see which meet your requirements the best:

option1: target the specific tunnel groups you wish to authorize on the network

condition = Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name EQUALS <name>

option2: if integrated with perhaps AD add condition to map clients and/or user to external security group to drive authorization policy

condition = <AD ID source name>:ExternalGroups EQUALS <name>

option3: perhaps rely on posturing to check against a unique attribute on these whitelisted clients

There are definitely more options out there. I suggest dissecting a radius live log from one of the whitelisted clients to determine unique attributes that could differentiate them from the rest to aide in identifying other possibilities. HTH!

Re: White list remote devices on ISE without certificates

ARQA-netadmin — Wed, 21 Apr 2021 04:26:11 GMT

Ok. I understood. But I am intrested in best practics about this. Maybe someone used some radius parameters from remote machine or some another information for identification remote machine. I would like something specific