cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2473
Views
10
Helpful
5
Replies

Cisco ISE with Microsoft Always on

Is there is any way we can have ISE integrate with an always-on VPN? here is what I have in mind 

 

User John is part of HR, when he connects to the VPN he will get IP from 10.10.x.x 

User bob is Part of IT , he will get IP from 10.10.y.y 

 

the main reason why I need this so we can use SGT to IP mapping to enforce policies for users connected to the VPN. 

1 Accepted Solution

Accepted Solutions

If ISE is your AAA/RADIUS server for your VPN users, you assign an SGT for a group-based policy enforcement by your VPN. This happens as part of the Authorization Policy with the RADIUS Accept-Accept and authorization attributes.

If you have pxGrid configured, ISE will share the IP-to-SGT mapping (IP learned from VPN by RADIUS accounting and SGT from authorization profile) to the pxGrid-registered SXP peers.

See User to DC Access Control Design Guide for the general design and process.

View solution in original post

5 Replies 5

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

I don't know much about Microsoft Always On VPN, but on ISE you can define custom attributes per user - e.g. Users can be created in ISE with an additional attribute called, say,  VPN_addr of type IP Address. And then when you add local ISE users, e.g. John, then you assign that user an IP addres 10.10.x.x - when that user authenticates via VPN (through ISE) and is successfully authenticated and authorized, then ISE automaticaly returns that VPN_addr in the final Access-Accept, which you need to map to the respective RADIUS attribute that the VPN NAS understands - e.g. Framed-IP-Address.

 

Is that what you're asking?

 

BTW, you don't need to use ISE internal user accounts - you can add IP addresses into AD user accounts, or LDAP etc and then have ISE retrieve them during authorization. 

Thank you for your reply. in this case, what will be the DHCP? the ISE its self or I can have a windows server ? 

if I understand your solution, the ISE will send access accept with another radius attribute called,  VPN_addr. now how is DHCP will break those to like VPN_Addr and HR for example. 

I don't want flat policies for all my VPN users, I want like HR will get TAG = 4 .. IT get TAG = 10 ... etc 

thomas
Cisco Employee
Cisco Employee

If ISE is performing the authentication of your users, you may assign an SGT in an authorization rule.

If you are doing pxGrid, it will then share that IP-to-SGT mapping for enforcement by your firewall elsewhere in the network.

 

image.png

So with this Kind a dynamic IP to SGT learning?  so user Jon connects to VPN, always-on will use Cisco ISE as NPS, then ISE will authenticate and learn the user IP address then assign SGT in authorization rule. 

 

we are enforcing on the access level. so on the switches. the switches SXP peering with ISE. 

If ISE is your AAA/RADIUS server for your VPN users, you assign an SGT for a group-based policy enforcement by your VPN. This happens as part of the Authorization Policy with the RADIUS Accept-Accept and authorization attributes.

If you have pxGrid configured, ISE will share the IP-to-SGT mapping (IP learned from VPN by RADIUS accounting and SGT from authorization profile) to the pxGrid-registered SXP peers.

See User to DC Access Control Design Guide for the general design and process.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers