Solved: Using ISE to block TOR IP’s from connecting to VPN concentrators

tgallawa · ‎08-10-2020

Is it possible to have ISE block TOR IP's from connecting to an ASA RAVPN?

Marvin Rhoads · ‎08-11-2020

ISE is the wrong solution for that requirement. Ideally have an upstream NGFW/IPS with geoblocking. Or use MFA (like Duo) with geofencing requirements enforced on the MFA client.

View solution in original post

Colby LeMaire · ‎08-11-2020

Best option would be to use the firewall itself to block certain IP's from connecting. Ideally, you would have a "filtering" router at your Internet edge that blocks known bad IP's, RFC 1918 IP's, and your own internal subnet IP's (RFC 2827/BCP 38). That prevents your firewall from having to process a lot of junk, which uses up resources.

If you cannot block on your edge router or firewall, then you could try to look for the "Framed-IP-Address" attribute in your authentication requests and use a Regex to match against your bad list. But that is not ideal or efficient.

Marvin Rhoads · ‎08-11-2020

ISE is the wrong solution for that requirement. Ideally have an upstream NGFW/IPS with geoblocking. Or use MFA (like Duo) with geofencing requirements enforced on the MFA client.