cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

219
Views
2
Helpful
3
Replies
Highlighted
Contributor

Using endpoint IP address as an AuthZ condition

I am looking for a way to use the IP address of the endpoint in an AuthZ policy.  I could use Radius-Framed-IP-Address, but the only option is "Equals" or "Not Equal To" and does not give me things like "Starts with".  Network Access - Device IP Address has the same issue.

How would we go about using the endpoint address in a policy?  The particular use case is around internal vs external VPN connections and using the source address as the way to determine the origin of the VPN connection.

Any guidance is appreciated.

Thanks!

Bob

3 REPLIES 3
Highlighted
Cisco Employee

Re: Using endpoint IP address as an AuthZ condition

Robert, it is not possible with current condition set on ISE as you described. Have you looked into whether ASA can define different profiles or VLANs based on their source IP address?

Hosuk

Highlighted
Contributor

Re: Using endpoint IP address as an AuthZ condition

Hi Bob, have you considered using tunnel groups on the ASA use case instead of IP address?  That way you can match on Tunnel-Group-Name in the AuthZ policy to provide differentiated results.

Sample:

George

Highlighted
Cisco Employee

Re: Using endpoint IP address as an AuthZ condition

Public IP address of the client is sent by the ASA in Calling-Station-ID attribute. You will be able to use all the normal operands on that in ISE.

Framed-IP-Address stores the assign IP address from the VPN pool.