Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
2
Helpful
3
Replies

Using endpoint IP address as an AuthZ condition

bperciac
Level 5
Level 5

‎04-07-2016 12:38 PM

I am looking for a way to use the IP address of the endpoint in an AuthZ policy.  I could use Radius-Framed-IP-Address, but the only option is "Equals" or "Not Equal To" and does not give me things like "Starts with".  Network Access - Device IP Address has the same issue.

How would we go about using the endpoint address in a policy?  The particular use case is around internal vs external VPN connections and using the source address as the way to determine the origin of the VPN connection.

Any guidance is appreciated.

Thanks!

Bob

0 Helpful
3 Replies 3

howon
Cisco Employee
Cisco Employee

‎04-08-2016 08:10 AM

Robert, it is not possible with current condition set on ISE as you described. Have you looked into whether ASA can define different profiles or VLANs based on their source IP address?

Hosuk

0 Helpful

gbekmezi-DD
Level 5
Level 5

‎04-08-2016 09:50 AM

Hi Bob, have you considered using tunnel groups on the ASA use case instead of IP address?  That way you can match on Tunnel-Group-Name in the AuthZ policy to provide differentiated results.

Sample:

George

vibobrov
Cisco Employee
Cisco Employee

‎04-08-2016 11:51 AM

Public IP address of the client is sent by the ASA in Calling-Station-ID attribute. You will be able to use all the normal operands on that in ISE.

Framed-IP-Address stores the assign IP address from the VPN pool.

Customers Also Viewed These Support Documents