04-14-2021 02:50 AM
Is there any way to configure some authorization policy on ISE in which you can define a whitelist of remote devices that are allowed to build VPN. As an option, obtaining a some unique id from a remote device. The method with certificates is not suitable.
Solved! Go to Solution.
04-14-2021 05:40 AM
IMO you have several options here that you should test to see which meet your requirements the best:
option1: target the specific tunnel groups you wish to authorize on the network
condition = Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name EQUALS <name>
option2: if integrated with perhaps AD add condition to map clients and/or user to external security group to drive authorization policy
condition = <AD ID source name>:ExternalGroups EQUALS <name>
option3: perhaps rely on posturing to check against a unique attribute on these whitelisted clients
There are definitely more options out there. I suggest dissecting a radius live log from one of the whitelisted clients to determine unique attributes that could differentiate them from the rest to aide in identifying other possibilities. HTH!
04-14-2021 05:40 AM
IMO you have several options here that you should test to see which meet your requirements the best:
option1: target the specific tunnel groups you wish to authorize on the network
condition = Cisco-VPN3000:CVPN/ASA/PIX7x-Tunnel-Group-Name EQUALS <name>
option2: if integrated with perhaps AD add condition to map clients and/or user to external security group to drive authorization policy
condition = <AD ID source name>:ExternalGroups EQUALS <name>
option3: perhaps rely on posturing to check against a unique attribute on these whitelisted clients
There are definitely more options out there. I suggest dissecting a radius live log from one of the whitelisted clients to determine unique attributes that could differentiate them from the rest to aide in identifying other possibilities. HTH!
04-20-2021 09:26 PM
Ok. I understood. But I am intrested in best practics about this. Maybe someone used some radius parameters from remote machine or some another information for identification remote machine. I would like something specific
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide