04-07-2016 12:38 PM
I am looking for a way to use the IP address of the endpoint in an AuthZ policy. I could use Radius-Framed-IP-Address, but the only option is "Equals" or "Not Equal To" and does not give me things like "Starts with". Network Access - Device IP Address has the same issue.
How would we go about using the endpoint address in a policy? The particular use case is around internal vs external VPN connections and using the source address as the way to determine the origin of the VPN connection.
Any guidance is appreciated.
Thanks!
Bob
04-08-2016 08:10 AM
Robert, it is not possible with current condition set on ISE as you described. Have you looked into whether ASA can define different profiles or VLANs based on their source IP address?
Hosuk
04-08-2016 09:50 AM
Hi Bob, have you considered using tunnel groups on the ASA use case instead of IP address? That way you can match on Tunnel-Group-Name in the AuthZ policy to provide differentiated results.
Sample:
George
04-08-2016 11:51 AM
Public IP address of the client is sent by the ASA in Calling-Station-ID attribute. You will be able to use all the normal operands on that in ISE.
Framed-IP-Address stores the assign IP address from the VPN pool.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide