Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assign static IP address to ASA VPN clients by ISE

We are going to integrate ASA remote access VPN service with a new ISE 1.2.

The authentication is done against Active directory. After the authentication, can static IP address be assigned to a specific VPN user by ISE?

That means the same VPN user will always get the same IP address. Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Assign static IP address to ASA VPN clients by ISE

Daniel,

You can assign IETF-Radius-Framed-IP-Address in authorization policy.

However if I may make a suggestion:

Unless you have only a handful of users to do it for, it may make sense to assign address-pool from ISE or perform LDAP attribute mapping on ASA itself.

In the latter case the IP addresses are maintained on LDAP server as a attributes and ASA will map it IP address. You don't want to maintain IP address DB in multiple places.

M.

15 REPLIES
Cisco Employee

Assign static IP address to ASA VPN clients by ISE

Daniel,

You can assign IETF-Radius-Framed-IP-Address in authorization policy.

However if I may make a suggestion:

Unless you have only a handful of users to do it for, it may make sense to assign address-pool from ISE or perform LDAP attribute mapping on ASA itself.

In the latter case the IP addresses are maintained on LDAP server as a attributes and ASA will map it IP address. You don't want to maintain IP address DB in multiple places.

M.

New Member

Assign static IP address to ASA VPN clients by ISE

I successfully accomplished this using the method you suggested. Thanks a lot.

I would also like to assign IP address to VPN clients using an address pool in the ISE. There is RADIUS attribute Framed-Pool. However, how does it know which address has been used in the pool? Can this attribute be used this way?

Cisco Employee

Assign static IP address to ASA VPN clients by ISE

Daniel,

When RADIUS sends pool name ASA will just use that pool, it's up to the ASA to maintain pool's free IP addresses etc.

There is no feedback towards authentication server (ISE or any RADIUS for that matter) in regards to which IP address has been assigned.

If you want to know which addresses were assigned to each user you can still poll via SNMP (if that helps).

Have a look at https://supportforums.cisco.com/docs/DOC-13299

(or you can extarct that info via CLI "show vpn-sessiondb ..." )

M.

New Member

Assign static IP address to ASA VPN clients by ISE

What we really want to achieve is to maintain the IP address pool in ISE, but not in ASA. Is that doable?

No, ISE does not have a

No, ISE does not have a concept of an ip pool, like a dhcp server or an ASA. Only assigning the name of a local ip pool on the ASA or a static hardcoded ip is possible from ise.

Also, getting the ip from AD

Also, getting the ip from AD is supported if you put the ip address in another field than the regular ip address one (which is some weird formatted form of a string that ise doesnt understand), that is under every user, as long as the field is a string.

New Member

Where (as in what part of the

Where (as in what part of the config) can the ip pool name (located on ASA) be assigned in ISE?

Cisco Employee

Try this and see if it works

Try this and see if it works:

Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors > Cisco-VPN3000

Add

Attribute Name: CVPN3000/ASA/PIX7x-Group-Based-Address-Pools

Data Type: String

Direction: Both

ID: 217

 

Regards,

Jatin Katyal

** Do rate helpful posts **

~BR Jatin Katyal **Do rate helpful posts**
New Member

Thanks, what I really want to

Thanks, what I really want to use is IETF Attribute 88 Framed-Pool but it is not present in the IETF dictionary. My mention of ASA was really just to get the concept across.

I have a Telstra Radius proxy that I need to authenticate remote users with using RADIUS and issue the users IP addresses. At present this works happily using IETF Attribute 88 Framed-Pool authenticating to ACS, but struggling to find support for this on ISE 1.2. I dont think ISE supports RFC2869 (which is what Attribute 88 is part of)

 

Cisco Employee

https://supportforums.cisco

https://supportforums.cisco.com/discussion/12220321/ise-12-ietf-attribute-88-framed-pool-not-available

~BR Jatin Katyal **Do rate helpful posts**
New Member

Jatin,     Just wanted to let

Jatin,

     Just wanted to let you know that I used your suggestion to use ISE 1.4 to assign the proper IP Pool to an Authorization Profile.  Worked great.  Thank you for posting.

 

Thanks,

Matt

New Member

Hi Marcin,Is there a way of

Hi Marcin,

Is there a way of  Mapping remote users MAC address to username in LDAP server ?

I have a client who wants to restrict VPN access to firewall based on MAC address of the client or end user vpn client access restriction in any way. Basically we want to only allow remote users connect with their work laptop and not from their home PC for instance. 

New Member

Hi, 

Hi, 

This is the topology.

Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.

Internet  ----- ASA ------ LAN --- ISE and Windows DHCP Server.

Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.

Thanks.

Cisco Employee

Assign static IP address to ASA VPN clients by ISE

I agree with Marcin. ISE supports the return of standard RADIUS attributes such as Framed-IP-Address and Framed-IP-Netmask. There is an enhancement request filed support fetching a static IP attribute from Active Directory and sending to the end client.

CSCud10560    ISE: Need support for static IP AD attribute

Symptom:

ISE currently does not support fetching static IP attribute from Active Directory to send to a client in an Authorization Result.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Assign static IP address to ASA VPN clients by ISE

Hi

The DNS probe in your Cisco ISE deployment, when enabled, allows the profiler to lookup an endpoint, and get the fully qualified domain name (FQDN) of that endpoint. A DNS lookup tries to determine the endpoint fully qualified domain name. Upon an endpoint detection on your Cisco ISE enabled network, a list of endpoint attributes is collected from the NetFlow, DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP probes. For a DNS lookup, one of the following probes must be started along with the DNS probe: DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP.

The following list shows the specific endpoint attribute, and the probe that collects the attribute:

The dhcp-requested-address attribute—an attribute collected by the DHCP, and DHCP SPAN probes

The SourceIP attribute—an attribute collected by the HTTP probe

The Framed-IP-Address attribute—an attribute collected by the RADIUS probe

The cdpCacheAddress attribute—an attribute collected by the SNMP probe

The Cisco ISE implements an ARP cache in the profiling service, so that you can reliably map IP addresses and MAC addresses of endpoints. For the ARP cache to function, you must enable either the DHCP probe or the RADIUS probe. The DHCP and RADIUS probes carry IP addresses and MAC addresses of endpoints in the payload data. The dhcp-requested address attribute in the DHCP probe and the Framed-IP-address attribute in the RADIUS probe carry the IP addresses of endpoints, along with their MAC addresses, which can be mapped and stored in the ARP cache.

6212
Views
29
Helpful
15
Replies
CreatePlease login to create content