12-04-2020 11:23 AM
Is there is any way we can have ISE integrate with an always-on VPN? here is what I have in mind
User John is part of HR, when he connects to the VPN he will get IP from 10.10.x.x
User bob is Part of IT , he will get IP from 10.10.y.y
the main reason why I need this so we can use SGT to IP mapping to enforce policies for users connected to the VPN.
Solved! Go to Solution.
12-15-2020 02:04 PM
If ISE is your AAA/RADIUS server for your VPN users, you assign an SGT for a group-based policy enforcement by your VPN. This happens as part of the Authorization Policy with the RADIUS Accept-Accept and authorization attributes.
If you have pxGrid configured, ISE will share the IP-to-SGT mapping (IP learned from VPN by RADIUS accounting and SGT from authorization profile) to the pxGrid-registered SXP peers.
See User to DC Access Control Design Guide for the general design and process.
12-14-2020 01:44 PM
I don't know much about Microsoft Always On VPN, but on ISE you can define custom attributes per user - e.g. Users can be created in ISE with an additional attribute called, say, VPN_addr of type IP Address. And then when you add local ISE users, e.g. John, then you assign that user an IP addres 10.10.x.x - when that user authenticates via VPN (through ISE) and is successfully authenticated and authorized, then ISE automaticaly returns that VPN_addr in the final Access-Accept, which you need to map to the respective RADIUS attribute that the VPN NAS understands - e.g. Framed-IP-Address.
Is that what you're asking?
BTW, you don't need to use ISE internal user accounts - you can add IP addresses into AD user accounts, or LDAP etc and then have ISE retrieve them during authorization.
12-15-2020 06:30 AM
Thank you for your reply. in this case, what will be the DHCP? the ISE its self or I can have a windows server ?
if I understand your solution, the ISE will send access accept with another radius attribute called, VPN_addr. now how is DHCP will break those to like VPN_Addr and HR for example.
I don't want flat policies for all my VPN users, I want like HR will get TAG = 4 .. IT get TAG = 10 ... etc
12-14-2020 06:05 PM
If ISE is performing the authentication of your users, you may assign an SGT in an authorization rule.
If you are doing pxGrid, it will then share that IP-to-SGT mapping for enforcement by your firewall elsewhere in the network.
12-15-2020 06:33 AM
So with this Kind a dynamic IP to SGT learning? so user Jon connects to VPN, always-on will use Cisco ISE as NPS, then ISE will authenticate and learn the user IP address then assign SGT in authorization rule.
we are enforcing on the access level. so on the switches. the switches SXP peering with ISE.
12-15-2020 02:04 PM
If ISE is your AAA/RADIUS server for your VPN users, you assign an SGT for a group-based policy enforcement by your VPN. This happens as part of the Authorization Policy with the RADIUS Accept-Accept and authorization attributes.
If you have pxGrid configured, ISE will share the IP-to-SGT mapping (IP learned from VPN by RADIUS accounting and SGT from authorization profile) to the pxGrid-registered SXP peers.
See User to DC Access Control Design Guide for the general design and process.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide