Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
4
Replies

Location based authorization

Go to solution
wileong
Cisco Employee
Cisco Employee

‎12-16-2018 02:51 PM - last edited on ‎12-16-2018 03:10 PM by Cisco Employee

Hi there, 

 

A customer with requirement to return different AUTHZ policy in ISE based on location from ASA remote VPN.

What is the best way to achieve this?

 

Thanks

Wing Churn

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-16-2018 03:33 PM

In case the location is that of an ASA headend, then we may set the NAD to a specific location in ISE configuration and use that info for authorization.

In case the location is the geo-location of a remote access VPN session, we may use the calling-station-ID RADIUS attribute as conditions. ISE is not currently supporting to perform a lookup for geo-location info of a remote access client so the conditions would likely need set explicitly.

Additionally...

Marvin Rhoads mentioned a solution using IPS -- The new model ASA (5500-X - Cisco Community

Karsten Iwen suggested using DAP -- Re: Can CISCO ASA locate anyconnect geo... - Cisco Community

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-16-2018 03:33 PM

In case the location is that of an ASA headend, then we may set the NAD to a specific location in ISE configuration and use that info for authorization.

In case the location is the geo-location of a remote access VPN session, we may use the calling-station-ID RADIUS attribute as conditions. ISE is not currently supporting to perform a lookup for geo-location info of a remote access client so the conditions would likely need set explicitly.

Additionally...

Marvin Rhoads mentioned a solution using IPS -- The new model ASA (5500-X - Cisco Community

Karsten Iwen suggested using DAP -- Re: Can CISCO ASA locate anyconnect geo... - Cisco Community

 

 

0 Helpful

Go to solution
wileong
Cisco Employee
Cisco Employee
In response to hslai

‎12-19-2018 12:09 AM

Hi Hsing,

 

Thanks for the tip, follow up question on the suggestion. Is calling-station-ID appear as private IP of the AnyConnect real client IP in ISE or the egress IP of the client?

 

Thanks

Wing Churn

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to wileong

‎12-19-2018 07:37 AM

It should be client's physical NIC ip (or mac address?) since the VPN connection is not complete and the tunnel IP would not have been assigned.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to wileong

‎12-21-2018 04:38 PM - edited ‎12-21-2018 04:41 PM

It's the external gateway IP address, usually the one from the ISP, that used to contact the RA-VPN head-end.

For example, in [ client -- home router -- Internet -- RA-VPN ], the internet facing IP address of the home router.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents