I successfully accomplished this using the method you suggested. Thanks a lot.

I would also like to assign IP address to VPN clients using an address pool in the ISE. There is RADIUS attribute Framed-Pool. However, how does it know which address has been used in the pool? Can this attribute be used this way?

Daniel,

When RADIUS sends pool name ASA will just use that pool, it's up to the ASA to maintain pool's free IP addresses etc.

There is no feedback towards authentication server (ISE or any RADIUS for that matter) in regards to which IP address has been assigned.

If you want to know which addresses were assigned to each user you can still poll via SNMP (if that helps).

Have a look at https://supportforums.cisco.com/docs/DOC-13299

(or you can extarct that info via CLI "show vpn-sessiondb ..." )

M.

What we really want to achieve is to maintain the IP address pool in ISE, but not in ASA. Is that doable?

No, ISE does not have a concept of an ip pool, like a dhcp server or an ASA. Only assigning the name of a local ip pool on the ASA or a static hardcoded ip is possible from ise.

Also, getting the ip from AD is supported if you put the ip address in another field than the regular ip address one (which is some weird formatted form of a string that ise doesnt understand), that is under every user, as long as the field is a string.

Where (as in what part of the config) can the ip pool name (located on ASA) be assigned in ISE?

Try this and see if it works:

Policy > Policy Elements > Dictionaries > System > Radius > RADIUS Vendors > Cisco-VPN3000

Add

Attribute Name: CVPN3000/ASA/PIX7x-Group-Based-Address-Pools

Data Type: String

Direction: Both

ID: 217

Regards,

Jatin Katyal

** Do rate helpful posts **

Thanks, what I really want to use is IETF Attribute 88 Framed-Pool but it is not present in the IETF dictionary. My mention of ASA was really just to get the concept across.

I have a Telstra Radius proxy that I need to authenticate remote users with using RADIUS and issue the users IP addresses. At present this works happily using IETF Attribute 88 Framed-Pool authenticating to ACS, but struggling to find support for this on ISE 1.2. I dont think ISE supports RFC2869 (which is what Attribute 88 is part of)

https://supportforums.cisco.com/discussion/12220321/ise-12-ietf-attribute-88-framed-pool-not-available

Jatin,

     Just wanted to let you know that I used your suggestion to use ISE 1.4 to assign the proper IP Pool to an Authorization Profile.  Worked great.  Thank you for posting.

Thanks,

Matt

Hi Marcin,

Is there a way of  Mapping remote users MAC address to username in LDAP server ?

I have a client who wants to restrict VPN access to firewall based on MAC address of the client or end user vpn client access restriction in any way. Basically we want to only allow remote users connect with their work laptop and not from their home PC for instance. 

Hi, 

This is the topology.

Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.

Internet  ----- ASA ------ LAN --- ISE and Windows DHCP Server.

Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.

Thanks.