Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1677
Views
0
Helpful
2
Replies

White list remote devices on ISE without certificates

Go to solution
ARQA-netadmin
Level 1
Level 1

‎04-14-2021 02:50 AM

Is there any way to configure  some authorization policy on ISE in which you can define a whitelist of remote devices that are allowed to build VPN. As an option, obtaining a some unique id from a remote device. The method with certificates is not suitable.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-14-2021 05:40 AM

IMO you have several options here that you should test to see which meet your requirements the best:

option1: target the specific tunnel groups you wish to authorize on the network

condition = Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name EQUALS <name>

option2: if integrated with perhaps AD add condition to map clients and/or user to external security group to drive authorization policy

condition = <AD ID source name>:ExternalGroups EQUALS <name>

option3: perhaps rely on posturing to check against a unique attribute on these whitelisted clients

There are definitely more options out there.  I suggest dissecting a radius live log from one of the whitelisted clients to determine unique attributes that could differentiate them from the rest to aide in identifying other possibilities.  HTH!

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-14-2021 05:40 AM

IMO you have several options here that you should test to see which meet your requirements the best:

option1: target the specific tunnel groups you wish to authorize on the network

condition = Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name EQUALS <name>

option2: if integrated with perhaps AD add condition to map clients and/or user to external security group to drive authorization policy

condition = <AD ID source name>:ExternalGroups EQUALS <name>

option3: perhaps rely on posturing to check against a unique attribute on these whitelisted clients

There are definitely more options out there.  I suggest dissecting a radius live log from one of the whitelisted clients to determine unique attributes that could differentiate them from the rest to aide in identifying other possibilities.  HTH!

 

0 Helpful

Go to solution
ARQA-netadmin
Level 1
Level 1
In response to Mike.Cifelli

‎04-20-2021 09:26 PM

Ok. I understood. But I am intrested in best practics about this. Maybe someone used some radius parameters from remote machine or some another information for identification remote machine. I would like something specific

0 Helpful
Customers Also Viewed These Support Documents