Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE and geo location rules


Is there a way to do location based authorization rules in the ISE. We need that for giving out different authorizations to VPN users based on their location they are connecting from.




Rising star

Are you talking about detecting the location that they are physically in by their public address?, or the company designated location that they are working at ?

The location, based on the public IP they are connecting from.

Off course we can make rules based on the public IP used. But that would mean to maintain the network list by myself. I want to make a rule just on the location. E.g. Country. In the background a database should be queried like Maxminds GeoIP or so.

The ISE doesn't have that capability itself, although other Cisco products have that information. But is there an external authorization store that can be easily queried from the ISE? Has anybody done that before?

Sorry, i don't think there as anything like that in ISE, at least not something that can be done with out of the box products.

Problem with using an external identity store, would be that it's the username thats sent to the store to find attributes (normally AD groups via ad username), the public ip is not in the username field in the incoming radius requests from the VPN headend, so i don't know that would ever work.

I can only see Pxgrid being able to do this, maybe some of the GeoIP services providers integrate with it ?

Actually it's not part of the authentication, rather than of the authorization. There we can do a lookup, independent of the authentication. The ASA gives us the public IP of the VPN client in the "Calling-Station-Id" RADIUS attribute. That one we can lookup as part of the authorization by using LDAP or to an other RADIUS server that supports the "Authorize-Only" service type of RADIUS, like the ISE does.

As you wrote: One way would be to get a pxgrid serivce for that. Unfortunately I don't know of anyone with such information. I had a look into the SDK on DevNet. But they only have examples for the ISE as a "provider" but not as a consumer. Therefore I don't know if the ISE can even poll such information from a pxgrid node at-all.

What i meant was that the public ip address is sent during authentication, now the use of it, is in the authorization policy in ise. However i still don't see how you would do a lookup where the ldap search is using the public ip, the only thing ise sends to ldap when doing searches is the identity, which is the username that was authenticated, and not the ip address, so i don't see how this would work.

Content for Community-Ad