is it possible to use the ISE as a RADIUS server to assign IP's to devices as they authenticate?
We have a private 3g cloud with a provider and all the endpoints are on dynamic IP's meaning that we cannot assign routeable subnets to each 3g device.
The plan is to be able to use a RADIUS server to allocate the device IP address dynamically. I have been told that this is possible using RADIUS and so I was wondering the the ISE could be used for this purpose.
If you think this post should be posted elsewhere, then please let me know and I shall move it.
There are a couple of Radius attributes that can perhaps help you address your issue. Take a look at the following thread. It is centered around ASA/VPN deployment but a lot of it would apply to other deployment types as well (wired, wireless):
yes this looks similar to what we want. I am thinking that we will need to add each user (or SIM Card) as Identities in the ISE. The question is how would i map each user or SIM to an IP and then send that IP to the NAD?
When i create a user, I can create custom attributes. I guess i would input the IP here. but then how do i respond with that IP in the RADIUS accept message?
I have never done this before so I am only going to guess here :)
For your first question: This would depend on how you would want to build your policy but I could see this where you would have to add all devices (Mac addresses) into ISE's DB. Then you can reference those MACs or device groups to assign policies
For your second question: You would do this by returning an "Authorization Profile" that has an "Advanced Attribute" configured with the desired IP address. The advanced attribute settings section has the "Radius:Framed-IP-Address"
Quick question: Wouldn't this be easier with static reservations in your DHCP server?
Firstly, we do not have control of the 3g infrastructure. The ISP requires us to be able to issue framed-ip-addresses using a RADIUS server, so this is the ISP's requirement.
Secondly, I have been looking at ways to implement this. From what I can see at the moment, I would have to create a user for each SIM and then write an authorisation profile which returns the framed-ip-address for each user.
Now what i cannot figure out is without writing an authorisation policy for EVERY user, how will the ISE know which Authorisation profile to return? or which IP address to return?
At the moment, I see that if we have say 10 SIM Cards, I would have to create, 10 users, 10 authZ profiles, 10 authZ policies... am i on the right track here?
I am afraid you might be correct. I thought about this and I don't see a way to accomplish what you want with less rules. The reason is the fact that you need to apply a specific rule to an individual device/user vs the more widely used approach where you would apply a specific policy to a group of users/devices.
I can see where this won't be ideal since the rules can quickly get out of control and too many to manage easily but you have a unique requirement that will require unique set of rules :)
So to finish this up, if you had 10 sim cards then you will have 10 authorization rules with 10 unique authorization profiles. Each authorization profile will be returning a unique IP address.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :