assign connection profile based on clients public source ip

christoph-ernst · ‎12-16-2013

Dear Community

I have AnyConnect Client configured on a cisco ASA.

And I am trying to assign a connection profile based on the *clients public source ip*.

To quote an example:

Users connecting out of the public network segment A.B.C.D/255.255.255.0 should receive connection profile A.

All other users should receive connection profile B.

Is anyone able provide an approach to solve this problem?

any help would be really appreciated.

best regards

Chris

Collin Clark · ‎12-16-2013

I don't believe there is a way to do that. You should be setting filters by user not by source IP. Why do you want to do it by source IP?

christoph-ernst · ‎12-16-2013

Thanks for your replay.

because of regulations.

People within home country are allowed to have full access.

While (even the same) people are abroad limited access is granted only.

Karsten Iwen · ‎12-16-2013

You can achieve that with the help of an external RADIUS-server. The client IP is sent to the server in the RADIUS-attribute 31, "Calling-Station-Id". The RADIUS-server needs the flexibility to act on the request with a script in that you could change the IP to a network based on your mask (and propably GeoIP-information).

This shold all be possible with FreeRADIUS.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni