bummer... i was all sorts of atributes in the ISE like "Framed-IP address" etc etc... so can you only use those attributes as a condition for an authZ policy?

The ISE cannot return a Framed IP address in a RADIUS-Accept message no?

If you can confirm my understanding that would be great.

Thanks

Mario

Hi Neno,

yes this looks similar to what we want. I am thinking that we will need to add each user (or SIM Card) as Identities in the ISE. The question is how would i map each user or SIM to an IP and then send that IP to the NAD?

When i create a user, I can create custom attributes. I guess i would input the IP here. but then how do i respond with that IP in the RADIUS accept message?

Any ideas?

Mario

At the moment, the only option I can see that I have is to have all the users stored in Active Directory and then use the IP Address attribute.

I have never done this before so I am only going to guess here :) 

For your first question: This would depend on how you would want to build your policy but I could see this where you would have to add all devices (Mac addresses) into ISE's DB. Then you can reference those MACs or device groups to assign policies

For your second question: You would do this by returning an "Authorization Profile" that has an "Advanced Attribute" configured with the desired IP address. The advanced attribute settings section has the "Radius:Framed-IP-Address"

Quick question: Wouldn't this be easier with static reservations in your DHCP server?

Thank you for rating helpful posts!

Hi Neno, thanks for your input on this.

Firstly, we do not have control of the 3g infrastructure. The ISP requires us to be able to issue framed-ip-addresses using a RADIUS server, so this is the ISP's requirement.

Secondly, I have been looking at ways to implement this. From what I can see at the moment, I would have to create a user for each SIM and then write an authorisation profile which returns the framed-ip-address for each user.

Now what i cannot figure out is without writing an authorisation policy for EVERY user, how will the ISE know which Authorisation profile to return? or which IP address to return?

At the moment, I see that if we have say 10 SIM Cards, I would have to create, 10 users, 10 authZ profiles, 10 authZ policies... am i on the right track here?

Thanks

Mario

Hi Mario-

I am afraid you might be correct. I thought about this and I don't see a way to accomplish what you want with less rules. The reason is the fact that you need to apply a specific rule to an individual device/user vs the more widely used approach where you would apply a specific policy to a group of users/devices. 

I can see where this won't be ideal since the rules can quickly get out of control and too many to manage easily but you have a unique requirement that will require unique set of rules :)

So to finish this up, if you had 10 sim cards then  you will have 10 authorization rules with 10 unique authorization profiles. Each authorization profile will be returning a unique IP address. 

Thank you for rating helpful posts!