Allow/Deny Clients based on Public IP/Location they are using in Cisco SSL VPN using ISE as Radius

misinsuan2229 · ‎03-27-2019

Is there a function in ISE that I can create conditions to allow/deny connecting clients to Anyconnect based on their IP?

Example is I want to block certain IP range to be not allowed to connect to our Anyconnect VPN - using ISE as our radius server?

Mike.Cifelli · ‎03-28-2019

removed after re-reading topic

bern81 · ‎03-28-2019

Hi,

You can create an inbound ACL and attach it to the ASA outside interface denying the IP ranges you want to Dst any eq tcp and udp 443.

Try this and give us feedback, it may not work because normally you need to enable the below option:

bypass interface access-list for inbound VPN sessions (in ASDM)

sysopt connection permit-vpn (via cli).

Please vote if helpful

Rob Ingram · ‎03-28-2019

Hi,
You could use the RADIUS value "Calling-Station-ID" in an ISE Authorization rule to permit/deny access.

As previously suggested you could also create an ACL on the ASA, this must be bound to the outside interface with the option control-plane appended. This is not the same ACL you would use for controlling traffic through the ASA.

E.g:-

access-group ALL_EXCEPT in interface OUTSIDE control-plane

HTH