Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Using ISE as RADIUS to allocate IPs

Hi all,

is it possible to use the ISE as a RADIUS server to assign IP's to devices as they authenticate?

We have a private 3g cloud with a provider and all the endpoints are on dynamic IP's meaning that we cannot assign routeable subnets to each 3g device.

The plan is to be able to use a RADIUS server to allocate the device IP address dynamically. I have been told that this is possible using RADIUS and so I was wondering the the ISE could be used for this purpose.

If you think this post should be posted elsewhere, then please let me know and I shall move it.

thanks

Mario

8 REPLIES

This is not possible, only

This is not possible, only VLan DHcp means IP can be assigned
 

New Member

bummer... i was all sorts of

bummer... i was all sorts of atributes in the ISE like "Framed-IP address" etc etc... so can you only use those attributes as a condition for an authZ policy?

The ISE cannot return a Framed IP address in a RADIUS-Accept message no?

If you can confirm my understanding that would be great.

Thanks

Mario

Cisco Employee

There are a couple of Radius

There are a couple of Radius attributes that can perhaps help you address your issue. Take a look at the following thread. It is centered around ASA/VPN deployment but a lot of it would apply to other deployment types as well (wired, wireless):

https://supportforums.cisco.com/discussion/11923261/assign-static-ip-address-asa-vpn-clients-ise

 

Thank you for rating helpful posts! 

New Member

Hi Neno,yes this looks

Hi Neno,

yes this looks similar to what we want. I am thinking that we will need to add each user (or SIM Card) as Identities in the ISE. The question is how would i map each user or SIM to an IP and then send that IP to the NAD?

When i create a user, I can create custom attributes. I guess i would input the IP here. but then how do i respond with that IP in the RADIUS accept message?

Any ideas?

Mario

New Member

At the moment, the only

At the moment, the only option I can see that I have is to have all the users stored in Active Directory and then use the IP Address attribute.

Cisco Employee

I have never done this before

I have never done this before so I am only going to guess here :) 

For your first question: This would depend on how you would want to build your policy but I could see this where you would have to add all devices (Mac addresses) into ISE's DB. Then you can reference those MACs or device groups to assign policies

For your second question: You would do this by returning an "Authorization Profile" that has an "Advanced Attribute" configured with the desired IP address. The advanced attribute settings section has the "Radius:Framed-IP-Address"

Quick question: Wouldn't this be easier with static reservations in your DHCP server?

 

Thank you for rating helpful posts!

New Member

Hi Neno, thanks for your

Hi Neno, thanks for your input on this.

Firstly, we do not have control of the 3g infrastructure. The ISP requires us to be able to issue framed-ip-addresses using a RADIUS server, so this is the ISP's requirement.

Secondly, I have been looking at ways to implement this. From what I can see at the moment, I would have to create a user for each SIM and then write an authorisation profile which returns the framed-ip-address for each user.

Now what i cannot figure out is without writing an authorisation policy for EVERY user, how will the ISE know which Authorisation profile to return? or which IP address to return?

At the moment, I see that if we have say 10 SIM Cards, I would have to create, 10 users, 10 authZ profiles, 10 authZ policies... am i on the right track here?

Thanks

Mario

Cisco Employee

Hi Mario-I am afraid you

Hi Mario-

I am afraid you might be correct. I thought about this and I don't see a way to accomplish what you want with less rules. The reason is the fact that you need to apply a specific rule to an individual device/user vs the more widely used approach where you would apply a specific policy to a group of users/devices. 

I can see where this won't be ideal since the rules can quickly get out of control and too many to manage easily but you have a unique requirement that will require unique set of rules :)

So to finish this up, if you had 10 sim cards then  you will have 10 authorization rules with 10 unique authorization profiles. Each authorization profile will be returning a unique IP address. 

 

Thank you for rating helpful posts!

228
Views
4
Helpful
8
Replies
CreatePlease to create content