Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
3
Replies

Allow/Deny Clients based on Public IP/Location they are using in Cisco SSL VPN using ISE as Radius

misinsuan2229
Level 1
Level 1

‎03-27-2019 09:29 PM

Is there a function in ISE that I can create conditions to allow/deny connecting clients to Anyconnect based on their IP? 

 

Example is I want to block certain IP range to be not allowed to connect to our Anyconnect VPN - using ISE as our radius server?

0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-28-2019 05:33 AM - edited ‎03-28-2019 05:48 AM

removed after re-reading topic

0 Helpful

bern81
Level 1
Level 1
In response to Mike.Cifelli

‎03-28-2019 06:24 AM

Hi,

 

You can create an inbound ACL and attach it to the ASA outside interface denying the IP ranges you want to Dst any  eq  tcp and udp 443.

Try this and give us feedback, it may not work because normally you need to enable the below option:

bypass interface access-list for inbound VPN sessions (in ASDM)

sysopt connection permit-vpn (via cli).

 

Please vote if helpful

 

 

0 Helpful

Rob Ingram
VIP
VIP

‎03-28-2019 09:26 AM

Hi,
You could use the RADIUS value "Calling-Station-ID" in an ISE Authorization rule to permit/deny access.

 

As previously suggested you could also create an ACL on the ASA, this must be bound to the outside interface with the option control-plane appended. This is not the same ACL you would use for controlling traffic through the ASA.

 

E.g:-

access-group ALL_EXCEPT in interface OUTSIDE control-plane

 

HTH

0 Helpful
Customers Also Viewed These Support Documents