https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4781678#M580057 <P>Need some advice. We use ISE for authentication for the Cisco anyconnect VPN. The default authentication is to use a Identity store that uses Windows AD for authentication. I want to add an authentication policy based on the client IP address so if the client connecting the VPN has the IP 1.1.1.1, I would do local authentication with a local stored credential.&nbsp;</P><P>I checked my radius log and I see that the client IP is in the following fields</P><UL><LI>Endpoint Id</LI><LI>Calling Station Id</LI><LI>Tunnel-Client-Endpoint</LI></UL><P>Which one should I use for the condition for the authentication policy? In the condition search, I can't find the first two. The only one I can find is the Tunnel-Client-Endpoint. Should I be using that one? Does my config below look correct? Thanks!</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Difan_Zhao_0-1677189720135.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/177275i5C8A3E81D76FF6FB/image-size/medium?v=v2&amp;px=400" role="button" title="Difan_Zhao_0-1677189720135.png" alt="Difan_Zhao_0-1677189720135.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Difan_Zhao_1-1677189739419.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/177276i8B9E6EC8E6C31319/image-size/medium?v=v2&amp;px=400" role="button" title="Difan_Zhao_1-1677189739419.png" alt="Difan_Zhao_1-1677189739419.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Feb 2023 22:03:39 GMT Difan_Zhao 2023-02-23T22:03:39Z https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4781678#M580057 <P>Need some advice. We use ISE for authentication for the Cisco anyconnect VPN. The default authentication is to use a Identity store that uses Windows AD for authentication. I want to add an authentication policy based on the client IP address so if the client connecting the VPN has the IP 1.1.1.1, I would do local authentication with a local stored credential.&nbsp;</P><P>I checked my radius log and I see that the client IP is in the following fields</P><UL><LI>Endpoint Id</LI><LI>Calling Station Id</LI><LI>Tunnel-Client-Endpoint</LI></UL><P>Which one should I use for the condition for the authentication policy? In the condition search, I can't find the first two. The only one I can find is the Tunnel-Client-Endpoint. Should I be using that one? Does my config below look correct? Thanks!</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Difan_Zhao_0-1677189720135.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/177275i5C8A3E81D76FF6FB/image-size/medium?v=v2&amp;px=400" role="button" title="Difan_Zhao_0-1677189720135.png" alt="Difan_Zhao_0-1677189720135.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Difan_Zhao_1-1677189739419.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/177276i8B9E6EC8E6C31319/image-size/medium?v=v2&amp;px=400" role="button" title="Difan_Zhao_1-1677189739419.png" alt="Difan_Zhao_1-1677189739419.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Feb 2023 22:03:39 GMT https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4781678#M580057 Difan_Zhao 2023-02-23T22:03:39Z https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4782142#M580071 <P><SPAN>Tunnel-Client-Endpoint should work since that is your RADIUS log.&nbsp; What is your use-case though?&nbsp; Why not just create that account within AD?&nbsp; What happens if the user connecting changes IP addresses or connects from a different location?</SPAN></P> <P><SPAN>Why not use an ID source sequence with AD first and local second?&nbsp; Then add the necessary Authz rules for the local user?</SPAN></P> Fri, 24 Feb 2023 15:56:55 GMT https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4782142#M580071 ahollifield 2023-02-24T15:56:55Z https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4782195#M580072 <P>Thanks Hollifield. I will give it a try today and let you know how it goes.&nbsp;</P><P>I guess we could create an AD account for that. I might be just too lazy to engage the AD team for that haha... This is for a probe to monitor the webtop. I have created a static NAT for the probe to always be behind the public IP and no other users will be behind the same IP.</P><P>We need the probe because we ran into an issue that the webtop would lose all its shortcuts from time to time. Cisco can't help us because the version we are on is too old and the new version doesn't support the webtop (or something similar). Therefore, I need to figure out a way to log in the webtop and monitor the shortcuts and generate alerts when they are gone.&nbsp;</P> Fri, 24 Feb 2023 17:16:17 GMT https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4782195#M580072 Difan_Zhao 2023-02-24T17:16:17Z https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4782283#M580078 <P>The tunnel-endpoint one didn't work... reviewed the radius log and it doesn't match my connection. the calling station ID one works fine though. I think I will stick to that. Thanks!</P> Fri, 24 Feb 2023 20:32:09 GMT https://community.cisco.com/t5/network-access-control/ise-authentication-based-on-the-client-ip/m-p/4782283#M580078 Difan_Zhao 2023-02-24T20:32:09Z