Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2928
Views
0
Helpful
5
Replies

ISE and geo location rules

ROBERTO GIANA
Level 4
Level 4

‎09-15-2015 01:59 AM - edited ‎03-10-2019 11:03 PM

Hi

Is there a way to do location based authorization rules in the ISE. We need that for giving out different authorizations to VPN users based on their location they are connecting from.

 

Regards

Roberto

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎09-15-2015 04:14 AM

Are you talking about detecting the location that they are physically in by their public address?, or the company designated location that they are working at ?

0 Helpful

ROBERTO GIANA
Level 4
Level 4
In response to jan.nielsen

‎09-15-2015 04:38 AM

The location, based on the public IP they are connecting from.

Off course we can make rules based on the public IP used. But that would mean to maintain the network list by myself. I want to make a rule just on the location. E.g. Country. In the background a database should be queried like Maxminds GeoIP or so.

The ISE doesn't have that capability itself, although other Cisco products have that information. But is there an external authorization store that can be easily queried from the ISE? Has anybody done that before?

0 Helpful

jan.nielsen
Level 7
Level 7
In response to ROBERTO GIANA

‎09-15-2015 04:51 AM

Sorry, i don't think there as anything like that in ISE, at least not something that can be done with out of the box products.

Problem with using an external identity store, would be that it's the username thats sent to the store to find attributes (normally AD groups via ad username), the public ip is not in the username field in the incoming radius requests from the VPN headend, so i don't know that would ever work.

I can only see Pxgrid being able to do this, maybe some of the GeoIP services providers integrate with it ?

0 Helpful

ROBERTO GIANA
Level 4
Level 4
In response to jan.nielsen

‎09-15-2015 06:17 AM

Actually it's not part of the authentication, rather than of the authorization. There we can do a lookup, independent of the authentication. The ASA gives us the public IP of the VPN client in the "Calling-Station-Id" RADIUS attribute. That one we can lookup as part of the authorization by using LDAP or to an other RADIUS server that supports the "Authorize-Only" service type of RADIUS, like the ISE does.

As you wrote: One way would be to get a pxgrid serivce for that. Unfortunately I don't know of anyone with such information. I had a look into the SDK on DevNet. But they only have examples for the ISE as a "provider" but not as a consumer. Therefore I don't know if the ISE can even poll such information from a pxgrid node at-all.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to ROBERTO GIANA

‎09-15-2015 06:25 AM

What i meant was that the public ip address is sent during authentication, now the use of it, is in the authorization policy in ise. However i still don't see how you would do a lookup where the ldap search is using the public ip, the only thing ise sends to ldap when doing searches is the identity, which is the username that was authenticated, and not the ip address, so i don't see how this would work.

0 Helpful
Customers Also Viewed These Support Documents