Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2064
Views
0
Helpful
5
Replies

ISE limit vpn access by client source ip

judiljak
Level 1
Level 1

‎11-27-2019 08:04 AM

Hello,
Is it possible to use client ip address to limit vpn access
i.e write authorization policy which would use Cisco-AVPair = "ip:source-ip=ip.add.re.ss"
or Calling-Station-ID to match against defined subnet
As per documentation both are of type string and i am not sure how to write these rules
or is it even possible
https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253
cisco-av-pair 1 The Cisco RADIUS implementation supports one vendor-specific option using the format recommendedin the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named“cisco-avpair.” The value is a string
Calling-Station-ID 31 string 1.0 Authentication
This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.

For sure we can debate on whether this would be an optimal solution, but I'd still like to get an answer.
Thnx

0 Helpful
5 Replies 5

jj27
Spotlight
Spotlight

‎11-27-2019 08:54 AM - edited ‎11-27-2019 08:56 AM

I assume your VPN client is AnyConnect? It should send over the source IP as you described as an av-pair attribute.

I just tested this use-case in my lab and it was successful. The policy looks like this:VPN-by-source-IP.png

Attributes sent are:

av-pair.png

0 Helpful

judiljak
Level 1
Level 1
In response to jj27

‎11-27-2019 12:39 PM

Thnx, but
Maybe I wasn't that clear or overlooked your answer somehow
Anyway, ASA (vpn gatewa) is indeed sending those attributes that is not in question.
What's puzzling me is how can I match src ip to a known subnet say /21
Obviously it is impossible to write rules with all those ip addresses and use
EQ string operator
Probably one would neet to cast it to address type and somehow match if it belongs to
a subnet

 

0 Helpful

andrewswanson
Level 7
Level 7
In response to judiljak

‎11-27-2019 01:05 PM

Hi

You can specify the subnet you want to match in an Endstation Network Condition under Policy > Policy Elements > Conditions > Network Conditions.

 

I've used this method in the past as a Policy condition - not sure if Endstation Network Conditions can be used as an Authorization condition.

 

hth
Andy

0 Helpful

jj27
Spotlight
Spotlight
In response to judiljak

‎11-27-2019 01:26 PM

You could probably match using a RegEx in the condition. What is the subnet you are trying to match on?

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-27-2019 09:04 AM

As a reference you can utilize the detailed radius live logs to determine the type of string you would need to apply in your condition. For example, you can find the calling-station-id in the detailed log under the authentication section on the left side. This will either be an IP or if using mab you will see the client mac in a hyphen-hex format of AA-AA-AA-AA-AA-AA. Not to debate with you, but there are definitely better ways of limiting vpn access via other condition types. I think the issue with using the calling station id is that remote users are probably obtaining an ip address dynamically on whatever wireless connection they have meaning that it will always change and could become an admin nightmare. Unless you know that the IP is never changing. However, keep in mind I know nothing about your setup such as whether or not it is clientless, or client vpn etc. etc. Good luck & HTH!
0 Helpful
Customers Also Viewed These Support Documents