01-11-2016 09:14 PM - edited 03-10-2019 11:23 PM
Hi Guys,
Good Day!
May I ask if it is possible in ISE 1.4 for me to configure authorization profile to check if User1 tries to connect to a specific tunnel-group which is configured in the ASA?
Thank you and have a nice day!
Cheers
01-11-2016 09:19 PM
You need to use the Tunnel Group Lock option. Take a look at this post.
https://supportforums.cisco.com/discussion/11402831/connection-profile-tunnel-group-lock
01-11-2016 09:23 PM
Hi Philip,
Good Day!
Just to clarify, I will used this attribute as the condition in my authorization rule right in ISE?
Thanks
01-11-2016 10:33 PM
I don't know. My guess is yes. I have only used this with other products. I just know the ASA needs to receive it.
01-12-2016 02:21 AM
Visit ISE policy > policy elements > conditions > In the condition inside advanced attributes select an attribute - "Cisco-VPN3000:Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Lock" Equals <tunnel-group-name>. Once done call this condition in the authorization rule and give appropriate permissions. Make sure this attribute or something similar like "Tunnel-group-name" is coming in the radius request
Regards,
Jatin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide