08-10-2020 05:05 PM
Is it possible to have ISE block TOR IP's from connecting to an ASA RAVPN?
Solved! Go to Solution.
08-11-2020 07:09 AM
ISE is the wrong solution for that requirement. Ideally have an upstream NGFW/IPS with geoblocking. Or use MFA (like Duo) with geofencing requirements enforced on the MFA client.
08-11-2020 06:13 AM
Best option would be to use the firewall itself to block certain IP's from connecting. Ideally, you would have a "filtering" router at your Internet edge that blocks known bad IP's, RFC 1918 IP's, and your own internal subnet IP's (RFC 2827/BCP 38). That prevents your firewall from having to process a lot of junk, which uses up resources.
If you cannot block on your edge router or firewall, then you could try to look for the "Framed-IP-Address" attribute in your authentication requests and use a Regex to match against your bad list. But that is not ideal or efficient.
08-11-2020 07:09 AM
ISE is the wrong solution for that requirement. Ideally have an upstream NGFW/IPS with geoblocking. Or use MFA (like Duo) with geofencing requirements enforced on the MFA client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide