cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
354
Views
2
Helpful
8
Replies

Using Cisco ISE - Network Restriction for Home/ Non Corporate network

irshadkal
Level 1
Level 1

Dear Team,

Does any know below option is available

My customer Connecting through the ise need to block the outside network using Anyconnect agent.

If User laptop with anyconnect secure agent is trying to connect a home network or any other non corprate network ANyconnect should not authenticate .. Is this possible?

8 Replies 8

use full-tunnel and hence and VPN filter, this done in FW.
MHM

irshadkal
Level 1
Level 1

Dear MHM,

Thanks for Reply but customer want to block outside network using ISE Anyconnect agent is it possible without Firewall.

If user connect laptop on the corporate LAN it is working fine and same laptop user should not able to connect to other home wifi or any network.

Sorry without FW or Router (as GW of anyconnect) you can not do what you want.

ISE can help return some attribute but it depend on  GW to restrict the traffic 

MHM

@irshadkal if I understand your question correctly, you want to block your devices with AnyConnect from connecting to a home network? You could use the AnyConnect NAM module (if licensed) to permit access to trusted networks only and deny others.

That is not something you can do with ISE because ISE has no idea of what the endpoint is trying to connect. ISE simply put can return attributes to be associated to the endpoint or users sessions, however, the authentication requests have to go to ISE in the first place and then ISE will return the authorization attributes after the authentication has passed but this is not the case here. You can leverage NAM as suggested by @Rob Ingram which allows you to restrict the network profiles based on the company policies. Another thing you might be able to do is to disable the dot1x fallback from the endpoints dot1x supplicant config, but this would be applicable only if you have dot1x implemented in your network. You can find this option in the supplicant authentication tab and it's called "Fallback to unauthorized network access".

Dear,

Client is Using Cisco Secure Client(NAM Agent) But I didn't see any option for Trusted network thier on nam module as well as on the NAM profile editor. If you have any refrence kindly share the link.

Fallback is available on native agent so its not possible.

The option that would restrict the users from interacting with the network settings you configure in NAM profile should be in the "Client Policy" tab under "End-user Control" section, it should be called "Disable Client". That should not be ticked.