Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
4
Replies

Remote Access VPN with ISE

fatalXerror
Level 5
Level 5

‎01-11-2016 09:14 PM - edited ‎03-10-2019 11:23 PM

Hi Guys,

Good Day!

May I ask if it is possible in ISE 1.4 for me to configure authorization profile to check if User1 tries to connect to a specific tunnel-group which is configured in the ASA?

Thank you and have a nice day!

Cheers

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-11-2016 09:19 PM

You need to use the Tunnel Group Lock option. Take a look at this post. 

https://supportforums.cisco.com/discussion/11402831/connection-profile-tunnel-group-lock

0 Helpful

fatalXerror
Level 5
Level 5
In response to Philip D'Ath

‎01-11-2016 09:23 PM

Hi Philip,

Good Day!

Just to clarify, I will used this attribute as the condition in my authorization rule right in ISE?

Thanks

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to fatalXerror

‎01-11-2016 10:33 PM

I don't know.  My guess is yes.  I have only used this with other products.  I just know the ASA needs to receive it.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-12-2016 02:21 AM

Visit ISE policy > policy elements > conditions > In the condition inside advanced attributes select an attribute - "Cisco-VPN3000:Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Lock" Equals <tunnel-group-name>. Once done call this condition in the authorization rule and give appropriate permissions. Make sure this attribute or something similar like "Tunnel-group-name" is coming in the radius request

Regards,

Jatin

~Jatin
0 Helpful
Customers Also Viewed These Support Documents