Can somebody explain to me how I can make sure that only authorized subnets are routed to IKEv2 clients?
If I configure 'route accept any' - which is the only option - under authorization policy then client is allowed to send me any routes, thus nothing prevents client to install any route into headend potentially screwing up routing for my network.
This is obviously not acceptable.
Another option I tried is to set 'no route accept' in ikev2 authorization profile and send route in radius attribute like this:
"ip:route=a.b.c.d 255.255.255.0 0.0.0.0"
This doesn't work. Route isn't installed in routing table.
Another option I tried is 'route set local'. That works and correct route being installed into headend routing table, but unfortunately I can't see a way to do in radius. 'route set local' seems to be only locally supported attribute, which will require me to configure ikev2 profile/authorization policy per client. That obviously doesn't scale.
So I'm at loss. Can somebody show me how I can enforce only authorized routes to be installed for the ikev2 clients?
Something like 'route accept <ACL>" to filter what ikev2 routes I receive from clients or per-user routes like "ip:route" radius attribute?
I'm not talking about routing client-to-server. "route set remote" on the server will push routes to client and those routes are installed on client device. That's fine.
I'm talking about server-to-client routes. Routes that needs to be installed on headend router for subnets behind client device. The only way to do it that I know of is to specify "route set remote" on the client. My question was about how to control which routes are being pushed from client to server. Or if there's a way to just install such routes on the server using radius attributes.
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals).
At the time of this writing, ISE cann...
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials.
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!
Hope this will be helpful for everyone who is looking for Splunk in...
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.
Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach...
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 )
Also, the logging at the begging will be disabled if logging is detected for both beginning ...