Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
1
Replies

ISE 1.4 - Device Administration - How doing authorization based on user machine IP address (Specify IP address allow to manage device)

josedunet
Level 1
Level 1

‎10-23-2016 07:51 AM - edited ‎03-11-2019 12:10 AM

Hi All

I am using ISE 1.4 for device administration authentication & authorization. So know when network administrator want to connect to switch and router for administration, they are authenticate and authorize by ISE Radius.

My question is how to given authorization based on IP address of network administrator machine. Specify in authorization IP address allow to connect to device for administration. I don' know how or where specify it. Someone can help me please ?

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-23-2016 11:32 AM

I haven't tried it but you may be able to use the dictionary attribute from RADIUS of "Framed IP address" in a policy element that you call out in your Authentication phase as a prerequisite to the resultant Authorization profile which gives shell access at the appropriate privilege level. 

Here's a handy list of all the RADIUS dictionary elements available to ISE:

https://communities.cisco.com/docs/DOC-67894

Much more common would be to just check the user identity in ISE. That way an authorized administrator can perform their job role no matter what machine they are on (and an unauthorized user cannot usurp the admin role by virtue of being on a certain machine).

Whether or not you do that, you can still restrict the source IP quite simply by using an access-list that you apply to the vty lines. That is perhaps one of the most common ways to restrict what hosts or networks are allowed to access devices in-band.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents