collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: VPN Assigned IP in ISE  (Read 11714 times)

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
VPN Assigned IP in ISE
« on: November 28, 2016, 12:20:36 PM »
Is there a way for ISE to get the assigned IP for a VPN user connecting through anyconnect?

The user can auth without issues, It's just in the live log the IP address field is blank. I would like ISE to know the users IP so that I can apply WSA and Firepower polices based on User to IP mapping.

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #1 on: November 28, 2016, 12:27:39 PM »
I figured it out.

Had to add accounting to the anyconnect profile.

Works now :)

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #2 on: November 28, 2016, 01:53:20 PM »
So the IP address is showing in the ISE live logs, but the login events are not being sent to WSA and FMC.

I have passiveID setup and if I login to a system with AD that login event is indeed being seen in WSA and FMC.

Shouldn't the VPN logins as well be sent via pxGrid to WSA and FMC?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: VPN Assigned IP in ISE
« Reply #3 on: November 30, 2016, 12:15:01 AM »
Glad you figured it out.  :) I believe VPN IP/Username mapping is published to pxGrid. I am pretty sure I had that setup before and FMC can see VPN user. Do you have .1x setup also? If so, do you see user login on FMC after a successful .1x login?

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #4 on: December 01, 2016, 07:20:58 AM »
yeah .1x info shows in FMC. Even when I turn the passive ID off.

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #5 on: December 01, 2016, 08:36:05 AM »
It seems to be working now. Very Strange.

One interesting note is that it looks like you cannot create access rules based on AD group when using ISE/pxGrid in WSA. It limits to SGT's

So I just needed to edit my policy to add the SGT to the Authorization profile. Works like a charm.

Also setup IP spoofing on the WSA with the reverse WCCP statements on the switch, and FMC shows the actual client IP and not the WSA IP for all web traffic. 

Now to get it into production.  ;D

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: VPN Assigned IP in ISE
« Reply #6 on: December 01, 2016, 10:45:01 PM »
Sweet.. Glad that worked out.. Looks like you have an interesting setup  :)

 

SimplePortal 2.3.7 © 2008-2024, SimplePortal