12-16-2018 02:51 PM - last edited on 12-16-2018 03:10 PM by hslai
Hi there,
A customer with requirement to return different AUTHZ policy in ISE based on location from ASA remote VPN.
What is the best way to achieve this?
Thanks
Wing Churn
Solved! Go to Solution.
12-16-2018 03:33 PM
In case the location is that of an ASA headend, then we may set the NAD to a specific location in ISE configuration and use that info for authorization.
In case the location is the geo-location of a remote access VPN session, we may use the calling-station-ID RADIUS attribute as conditions. ISE is not currently supporting to perform a lookup for geo-location info of a remote access client so the conditions would likely need set explicitly.
Additionally...
Marvin Rhoads mentioned a solution using IPS -- The new model ASA (5500-X - Cisco Community
Karsten Iwen suggested using DAP -- Re: Can CISCO ASA locate anyconnect geo... - Cisco Community
12-16-2018 03:33 PM
In case the location is that of an ASA headend, then we may set the NAD to a specific location in ISE configuration and use that info for authorization.
In case the location is the geo-location of a remote access VPN session, we may use the calling-station-ID RADIUS attribute as conditions. ISE is not currently supporting to perform a lookup for geo-location info of a remote access client so the conditions would likely need set explicitly.
Additionally...
Marvin Rhoads mentioned a solution using IPS -- The new model ASA (5500-X - Cisco Community
Karsten Iwen suggested using DAP -- Re: Can CISCO ASA locate anyconnect geo... - Cisco Community
12-19-2018 12:09 AM
Hi Hsing,
Thanks for the tip, follow up question on the suggestion. Is calling-station-ID appear as private IP of the AnyConnect real client IP in ISE or the egress IP of the client?
Thanks
Wing Churn
12-19-2018 07:37 AM
12-21-2018 04:38 PM - edited 12-21-2018 04:41 PM
It's the external gateway IP address, usually the one from the ISP, that used to contact the RA-VPN head-end.
For example, in [ client -- home router -- Internet -- RA-VPN ], the internet facing IP address of the home router.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: