04-01-2014 07:55 AM
Greeting!
My ASA is running SSL VPN, the authentication server is ACS.
Both of them are working well.
now, I need a limitation:
Some IDs can use VPN when they come from specific IP, like at office.
Not anywhere, like at home, hotel...
May I know if it is possible please?
Can NAR hlep on that?
Thanks in advance.
04-01-2014 11:12 AM
There are a lot of things you can use in a Dynamic Access Policy (DAP) but end user IP address isn't one of them.
Network Access Restriction (NAR) in ACS can be used to grant or deny authorization based on IP address but with a remote access VPN I believe it would be the VPN-assigned address seen by the ACS server. I'm not absolutely positive about that though.
Have you considered an ACL for tcp/443 on the interface used for VPN access?
04-02-2014 12:00 AM
Thanks for reply.
I don't think ACL for tcp/443 can help on the limitation, the limitation base on both IDs and IP.
I will loook into DAP first.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide