Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
2
Replies

Control client's IP using policies within Azure AD for AnyConnect user

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-08-2021 06:52 AM

We used to have users in various groups setup for AnyConnect, and at that time we could control which systems and services remote users could access. Once we implemented SSO with MFA with our Azure AD, we lost this ability, but we're trying to figure out a way to get this back. 

 

Is it possible to create a policy within Azure that says, if User belongs to Group A, assign user an IP in range 10.1.1.1-10.1.1.254, or if User belongs to Group B, assign user an IP in range 10.1.2.1-10.1.2.254? We could then filter traffic on the outside interface. Or is there another way to accomplish this? We do have Umbrella, so we're investigating features there, but maybe there is something in that offering?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-08-2021 10:38 AM

If you had ISE this would be a simple solution, but I am assuming you do not have ISE?

Are you using SAML for SSO? If so you just need to define the authentication server under the tunnel-group.  Then you can use SAML for SSO and for a second authentication / authorization you would use the server defined under the tunnel-group.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎09-08-2021 10:38 AM

If you had ISE this would be a simple solution, but I am assuming you do not have ISE?

Are you using SAML for SSO? If so you just need to define the authentication server under the tunnel-group.  Then you can use SAML for SSO and for a second authentication / authorization you would use the server defined under the tunnel-group.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight
In response to Marius Gunnerud

‎09-08-2021 01:14 PM

I understand that the ISE solution would work out well. We do have ISE (older version), but we've been told we have to upgrade to implement a solution that will integrate with VPN. It's been approved to be purchased next year, but it'll be a completely new system stood up in parallel with the existing one. 

 

We are using SAML for SSO. Ahh, I think this is making sense.

 

I just ran across this Microsoft article and compare what's in here to what you say. It may be fairly close. Thank you!

 

https://docs.microsoft.com/bs-latn-ba/Azure/active-directory/authentication/howto-mfa-nps-extension-vpn

0 Helpful
Customers Also Viewed These Support Documents