Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
669
Views
0
Helpful
3
Replies

ISE rule match IP-Address

Sebastian Helmer
Level 5
Level 5

‎12-10-2015 12:46 AM - edited ‎03-10-2019 11:18 PM

Hi,

I try to enable security on location without firewall. So my idea was to use the ISE to match on IPs and push an DACL to that switch.

I'm pretty new in ISE and don't see an idea to match on Client IPs in the condition area.

any hint?

best regards,
Sebastian

Labels:
0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎12-10-2015 05:27 AM

Hi there,

TrustSec is the technology that will allow you to achieve this. It is a big subject, but this document should lead you to some working configuration:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116497-configure-trustsec-00.html

cheers,

Seb.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎12-10-2015 04:26 PM

I don't believe this is possible. Can't you instead place the NADs (in this case switches) in specific location based groups/containers and then build the policies/dacls based on that?

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Justin bollinger
Level 1
Level 1

‎01-19-2016 10:59 AM

As the others have stated there is probably a better way to do this, but you should be able to use the Radius:Framed-IP-Address attribute in a AuthZ condition.  

There may be some caveats where this doesnt work well like MAB, but for regular dot1x the supplicant should provide this field. 

0 Helpful
Customers Also Viewed These Support Documents