cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
713
Views
0
Helpful
4
Replies

Remote Access VPN with ISE

fatalXerror
Level 5
Level 5

Hi Guys,

Good Day!

May I ask if it is possible in ISE 1.4 for me to configure authorization profile to check if User1 tries to connect to a specific tunnel-group which is configured in the ASA?

Thank you and have a nice day!

Cheers

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

You need to use the Tunnel Group Lock option. Take a look at this post. 

https://supportforums.cisco.com/discussion/11402831/connection-profile-tunnel-group-lock

Hi Philip,

Good Day!

Just to clarify, I will used this attribute as the condition in my authorization rule right in ISE?

Thanks

I don't know.  My guess is yes.  I have only used this with other products.  I just know the ASA needs to receive it.

Jatin Katyal
Cisco Employee
Cisco Employee

Visit ISE policy > policy elements > conditions > In the condition inside advanced attributes select an attribute - "Cisco-VPN3000:Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Lock" Equals <tunnel-group-name>. Once done call this condition in the authorization rule and give appropriate permissions. Make sure this attribute or something similar like "Tunnel-group-name" is coming in the radius request

Regards,

Jatin

~Jatin