Solved: Re: Assign fixed public to users connecting through VPN with Cisco ISE

mouhaDiao · ‎11-08-2018

hi everyone,
My direct manager wants me to improve our network security mainly vpn connection
So he wants me to use Cisco ISE to assign one source public IP per user connecting through VPN .
In other word , each of our partner should be able to connect to our corporate's network from their office using the same public ip . This would prevent them from connecting to our network if they are out of their office or any other location.
I have swept through many websites , communities , forums but can't find any answer on how to implement that on Cisco ISE.
any help would be greatly appreciated

Thanks

kthiruve · ‎11-11-2018

Please check the how to guides for ISE and ASA in our ISE ecosystem section for details how to configure.

https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164#toc-hId-1962717380

-Krishnan

View solution in original post

Arne Bier · ‎11-08-2018

Do you know what is required from your VPN application to achieve this? If you can figure this out then the job for ISE will be a simple one. For example, it may be that your VPN concentrator has a Radius interface (to ISE) and ISE needs to authenticate the username/password that the VPN user enters. If ISE authentication passes, then ISE can authorize the user in various ways - one way might be to pass attributes like Framed-IP-Address and Subnet etc. You can do that by adding custom attributes to local ISE accounts, or if these attributes are available in AD/LDAP, then you can retrieve them there and pass them to the VPN server.

mouhaDiao · ‎11-09-2018

Hello ,

in fact , our corporate is using an ASA Firewall for our vpn connection . That Firewall is connected to ISE through a core switch . When a connection is received through the firewall , ISE pass the authentication(username and Password) to Active Directory which allow access to our network and then ISE issue different profiles depending on users . So based on our current configuration , will i be able to apply that public ip restriction per user .

Thanks Again

Panos Bouras · ‎11-08-2018

Hi,

As I understand you want to limit VPN access per user only if they come from a specific public IP.

This can be achieved if you create an authorization policy with a filter of Radius -> Calling-Station-ID set to the public IP and the specific username.

I have attached an example screenshot.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

mouhaDiao · ‎11-09-2018

Hello panos,
can i create that authorization policy using ISE web interface ?
Also for users connecting to our vpn , the authentication is made by our local AD , ISE just issue profiles depending on the connected users . So based on our current configuration , will i need to create local account to ISE for each user as well before setting that policy you suggest or our local AD is able to pass uername and password to ISE ?
Thanks for your answer

kthiruve · ‎11-11-2018

Please check the how to guides for ISE and ASA in our ISE ecosystem section for details how to configure.

https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164#toc-hId-1962717380

-Krishnan