Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

VPN client address limitation.

Yong Peng
Level 1
Level 1

‎04-01-2014 07:55 AM

 

Greeting!

 

My ASA is running SSL VPN, the authentication server is ACS.

Both of them are working well.

 

 

now, I need a limitation:

Some IDs can use VPN when they come from specific IP, like at office.

Not anywhere, like at home, hotel...

 

May I know if it is possible please? 

Can NAR hlep on that?  

 

 

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-01-2014 11:12 AM

There are a lot of things you can use in a Dynamic Access Policy (DAP) but end user IP address isn't one of them.

Network Access Restriction (NAR) in ACS can be used to grant or deny authorization based on IP address but with a remote access VPN I believe it would be the VPN-assigned address seen by the ACS server. I'm not absolutely positive about that though.

Have you considered an ACL for tcp/443 on the interface used for VPN access?

0 Helpful

Yong Peng
Level 1
Level 1
In response to Marvin Rhoads

‎04-02-2014 12:00 AM

Thanks for reply.

 

I don't think ACL for tcp/443 can help on the limitation, the limitation base on both IDs and IP.

 

I will loook into DAP first.

 

Thanks!

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents