Lab Minutes Forum
Technical Discussion => Security => Topic started by: Mikep on November 28, 2016, 12:20:36 PM
-
Is there a way for ISE to get the assigned IP for a VPN user connecting through anyconnect?
The user can auth without issues, It's just in the live log the IP address field is blank. I would like ISE to know the users IP so that I can apply WSA and Firepower polices based on User to IP mapping.
-
I figured it out.
Had to add accounting to the anyconnect profile.
Works now :)
-
So the IP address is showing in the ISE live logs, but the login events are not being sent to WSA and FMC.
I have passiveID setup and if I login to a system with AD that login event is indeed being seen in WSA and FMC.
Shouldn't the VPN logins as well be sent via pxGrid to WSA and FMC?
-
Glad you figured it out. :) I believe VPN IP/Username mapping is published to pxGrid. I am pretty sure I had that setup before and FMC can see VPN user. Do you have .1x setup also? If so, do you see user login on FMC after a successful .1x login?
-
yeah .1x info shows in FMC. Even when I turn the passive ID off.
-
It seems to be working now. Very Strange.
One interesting note is that it looks like you cannot create access rules based on AD group when using ISE/pxGrid in WSA. It limits to SGT's
So I just needed to edit my policy to add the SGT to the Authorization profile. Works like a charm.
Also setup IP spoofing on the WSA with the reverse WCCP statements on the switch, and FMC shows the actual client IP and not the WSA IP for all web traffic.
Now to get it into production. ;D
-
Sweet.. Glad that worked out.. Looks like you have an interesting setup :)