Solved: Re: why connection related to R1 rule hits VPN rule and vice versa , we still using ISE 2.1

Ibrahim Jamil · ‎11-03-2017

Hello guys

pls find attacment

I am confused , why connection related to R1 rule hits VPN rule and connection related to VPN Rule hits R1 Rule , we still using ISE 2.1

pls help me out

thanks

Rob Ingram · ‎11-06-2017

Yes, add a new condition to the authorisation rules to make them unique.

View solution in original post

Rob Ingram · ‎11-03-2017

The screenshot of the VPN rule implies there is an AND but there appears to be nothing there.

Add another condition to match against, to make the each of the rules more specific to the device making the connection. E.g Radius:NAS-Port-Type EQUALS Virtual AND Radius:NAS-IP-Address EQUALS x.x.x.x

You could also use Policy Sets and make the condition specifc to the type of connection etc.

Ibrahim Jamil · ‎11-04-2017

Hello RJI

in the Authentication policy do i need also NAS address , NAS is configured for the same rule but in the Authorization policy

Thanks

Rob Ingram · ‎11-05-2017

Hi,

I would use policy sets for each autentication type, e.g VPN, Wired 802.1x, Wired MAB etc. Use NAS IP address or Device Type as the condition on the policy set. For example, in doing so, Wired 802.1x authentications would never originate from the NAS IP address of the VPN device, therefore never process that VPN policy set.

Ultimately you need to make the rules more specific, using other conditions in the policy.

HTH

Ibrahim Jamil · ‎11-05-2017

Hi

do u mean another NAS IP Address also for Authentication policy AND for Authorization policy ????

thanks

Rob Ingram · ‎11-06-2017

Yes, add a new condition to the authorisation rules to make them unique.