Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
7
Helpful
3
Replies

ISE authentication based on the client IP

Go to solution
Difan_Zhao
Level 1
Level 1

‎02-23-2023 02:03 PM

Need some advice. We use ISE for authentication for the Cisco anyconnect VPN. The default authentication is to use a Identity store that uses Windows AD for authentication. I want to add an authentication policy based on the client IP address so if the client connecting the VPN has the IP 1.1.1.1, I would do local authentication with a local stored credential. 

I checked my radius log and I see that the client IP is in the following fields

  • Endpoint Id
  • Calling Station Id
  • Tunnel-Client-Endpoint

Which one should I use for the condition for the authentication policy? In the condition search, I can't find the first two. The only one I can find is the Tunnel-Client-Endpoint. Should I be using that one? Does my config below look correct? Thanks!

Difan_Zhao_0-1677189720135.png

Difan_Zhao_1-1677189739419.png

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Difan_Zhao
Level 1
Level 1
In response to ahollifield

‎02-24-2023 12:32 PM

The tunnel-endpoint one didn't work... reviewed the radius log and it doesn't match my connection. the calling station ID one works fine though. I think I will stick to that. Thanks!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ahollifield
VIP
VIP

‎02-24-2023 07:56 AM

Tunnel-Client-Endpoint should work since that is your RADIUS log.  What is your use-case though?  Why not just create that account within AD?  What happens if the user connecting changes IP addresses or connects from a different location?

Why not use an ID source sequence with AD first and local second?  Then add the necessary Authz rules for the local user?

Go to solution
Difan_Zhao
Level 1
Level 1
In response to ahollifield

‎02-24-2023 09:16 AM

Thanks Hollifield. I will give it a try today and let you know how it goes. 

I guess we could create an AD account for that. I might be just too lazy to engage the AD team for that haha... This is for a probe to monitor the webtop. I have created a static NAT for the probe to always be behind the public IP and no other users will be behind the same IP.

We need the probe because we ran into an issue that the webtop would lose all its shortcuts from time to time. Cisco can't help us because the version we are on is too old and the new version doesn't support the webtop (or something similar). Therefore, I need to figure out a way to log in the webtop and monitor the shortcuts and generate alerts when they are gone. 

Go to solution
Difan_Zhao
Level 1
Level 1
In response to ahollifield

‎02-24-2023 12:32 PM

The tunnel-endpoint one didn't work... reviewed the radius log and it doesn't match my connection. the calling station ID one works fine though. I think I will stick to that. Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents