11-08-2018 01:43 AM - edited 03-11-2019 01:51 AM
hi everyone,
My direct manager wants me to improve our network security mainly vpn connection
So he wants me to use Cisco ISE to assign one source public IP per user connecting through VPN .
In other word , each of our partner should be able to connect to our corporate's network from their office using the same public ip . This would prevent them from connecting to our network if they are out of their office or any other location.
I have swept through many websites , communities , forums but can't find any answer on how to implement that on Cisco ISE.
any help would be greatly appreciated
Thanks
Solved! Go to Solution.
11-11-2018 11:04 PM
Please check the how to guides for ISE and ASA in our ISE ecosystem section for details how to configure.
-Krishnan
11-08-2018 02:24 AM
Do you know what is required from your VPN application to achieve this? If you can figure this out then the job for ISE will be a simple one. For example, it may be that your VPN concentrator has a Radius interface (to ISE) and ISE needs to authenticate the username/password that the VPN user enters. If ISE authentication passes, then ISE can authorize the user in various ways - one way might be to pass attributes like Framed-IP-Address and Subnet etc. You can do that by adding custom attributes to local ISE accounts, or if these attributes are available in AD/LDAP, then you can retrieve them there and pass them to the VPN server.
11-09-2018 03:20 AM
Hello ,
in fact , our corporate is using an ASA Firewall for our vpn connection . That Firewall is connected to ISE through a core switch . When a connection is received through the firewall , ISE pass the authentication(username and Password) to Active Directory which allow access to our network and then ISE issue different profiles depending on users . So based on our current configuration , will i be able to apply that public ip restriction per user .
Thanks Again
11-08-2018 11:51 AM
Hi,
As I understand you want to limit VPN access per user only if they come from a specific public IP.
This can be achieved if you create an authorization policy with a filter of Radius -> Calling-Station-ID set to the public IP and the specific username.
I have attached an example screenshot.
11-09-2018 03:34 AM
11-11-2018 11:04 PM
Please check the how to guides for ISE and ASA in our ISE ecosystem section for details how to configure.
-Krishnan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: