11-03-2017 12:07 PM - edited 02-21-2020 10:37 AM
Hello guys
pls find attacment
I am confused , why connection related to R1 rule hits VPN rule and connection related to VPN Rule hits R1 Rule , we still using ISE 2.1
pls help me out
thanks
Solved! Go to Solution.
11-06-2017 04:51 AM
Yes, add a new condition to the authorisation rules to make them unique.
11-03-2017 12:42 PM
The screenshot of the VPN rule implies there is an AND but there appears to be nothing there.
Add another condition to match against, to make the each of the rules more specific to the device making the connection. E.g Radius:NAS-Port-Type EQUALS Virtual AND Radius:NAS-IP-Address EQUALS x.x.x.x
You could also use Policy Sets and make the condition specifc to the type of connection etc.
11-04-2017 09:13 PM
Hello RJI
in the Authentication policy do i need also NAS address , NAS is configured for the same rule but in the Authorization policy
Thanks
11-05-2017 09:27 AM
Hi,
I would use policy sets for each autentication type, e.g VPN, Wired 802.1x, Wired MAB etc. Use NAS IP address or Device Type as the condition on the policy set. For example, in doing so, Wired 802.1x authentications would never originate from the NAS IP address of the VPN device, therefore never process that VPN policy set.
Ultimately you need to make the rules more specific, using other conditions in the policy.
HTH
11-05-2017 09:43 PM
Hi
do u mean another NAS IP Address also for Authentication policy AND for Authorization policy ????
thanks
11-06-2017 04:51 AM
Yes, add a new condition to the authorisation rules to make them unique.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide