topic Re: ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes in Network Access Control

ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes

Johannes Luther — Wed, 17 Jul 2019 10:45:44 GMT

Hi board,

I want to build an AnyConnect SSL based VPN solution for clients.

It should be possible to assign static IPv4 and IPv6 addresses for the clients.

I'm using ISE 2.4

For IPv4 this is not a problem:

1.) ISE: Add AD attribute "msRADIUSFramedIPAddress" and set the type to IP

2.) ISE: Create an authorization profile with the following advanced attributes and use it in an authorization rule

Radius:Framed-IP-Address = AD:msRADIUSFramedIPAddress

3.) In the AD, add the desired static IPv4 address to the user object (AD users and groups snap-in > User object > Dial-In > Assign static IP addresses > Assign a static IPv4 address)

==> Done: AnyConnect client is assigned the desired static IPv4

For IPv6 this is a problem:

It's not documented anywhere, but the ASA supports the RADIUS attribute Framed-IPv6-Prefix (97). This was tested by creating an authorization profile with the following advanced attributes and use it in an authorization rule:

Radius:Framed-IPv6-Prefix = 2001:db8:eff::1/128

==> No problem on ASA side

What I want to achive, that the static IPv6 address may be maintained in the AD as well. There is even an AD attribute for that:

msRADIUS-FramedIpv6Prefix (String)

So, same approach as for IPv4 here:

1.) ISE: Add AD attribute "msRADIUS-FramedIpv6Prefix" and set the type to ????
==> There is no IPv6 data type (only INT, STRING, IP, OCTET_STRING, BOOLEAN)

==> Let's try "String", because the value is a string in the AD 🙂

2.) ISE: Create an authorization profile with the following advanced attributes and use it in an authorization rule

Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix

When I want to save the authorization profile, an error pops up:

Unable to edit Authorization Profile (TEST) : Datatypes are mismatching for Radius:Framed-IPv6-Prefix(IPV6PREFIX) and AD:msRADIUS-FramedIpv6Prefix(STRING)

In ISE 2.4 I cannot change the type in the attribute to IPV6PREFIX. As I already mentioned above only INT, STRING, IP, OCTET_STRING and BOOLEAN are possible.

Question 1: Does someone know if this should work (is it supported) or if I'm doing something wrong here?

Question 2: If this is not supported (or a bug), does someone know if this behavior changes in ISE 2.6? A lot of IPv6 specific features were added to 2.6, but I couldn't find anything in the release notes.

Any other ideas?

Re: ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes

Surendra — Wed, 17 Jul 2019 12:47:15 GMT

Framed-IPv6-Address would work but not Framed-IPv6-Prefix with a string type in RHS. I've filed CSCvq56196 for this.

Re: ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes

Johannes Luther — Wed, 17 Jul 2019 13:32:26 GMT

Hey Surendra,

thanks for the feedback. The bug is not viewable yet, but I had a TAC case regarding the ASA side and the ASA does only support Framed-IPv6-Prefix

Re: ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes

Johannes Luther — Thu, 18 Jul 2019 11:18:26 GMT

Hi Surendra,

thank you for filing this bug. It's viewable now and exactely highlights the problem.

Funny fact is, that the ASA documentation beginning with 9.12 is fixed as well, because previously the IPv6 static address "problem" was not covered there.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/aaa-radius.html#ID-2113-0000003a

Although the documentation has still a tiny bug (Attribute 97 is Framed-IPv6-Prefix and not Framed-IPv6-Address), the ASA documentation also states, that the attribute should be represented as a string.

Again: Thank you for this!!!!

Re: ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes

Johannes Luther — Thu, 18 Jul 2019 13:03:11 GMT

Just a side node (that it's documented somewhere and perhaps it helps)

In Active Directory (2016 standard schema) the attribute msRADIUS-FramedIpv6Prefix is limited to 16 characters

The attribute msRADIUS-FramedInterfaceId is limited to 8 characters

==> 16 + 8 is not a full IPv6 address ...

ARGH!!!!

Re: ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes

Arne Bier — Thu, 18 Jul 2019 22:21:31 GMT

Well done for persevering on your IPv6 journey. Maybe this thing will get off the ground in the next 15 years 😞

Re: ISE, Remote Access VPN ASA and static IPv6 address assignment via AD attributes

Johannes Luther — Wed, 15 Jul 2020 04:55:44 GMT

Status update: Problem solved with ISE 2.4 Patch 11 and with the help by Microsoft

Quick howto:

1. Add the AD attribute msRADIUS-FramedIpv6Prefix an an external identity store attribute (Datatype IP)

2. Use the following authorization action

Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix

3. In the current Windows server versions, the schema needs to be extended, because the msRADIUS-FramedIpv6Prefix is not long enough. Here's a PowerShell snippet do do that

# msRADIUS-FramedIpv6Prefix rangeupper = 43
## Check current settings
Get-ADObject -filter * -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | where Name -like "ms-RADIUS-FramedIpv6Prefix"
## Set new rangeupper
Set-ADObject -Identity 'CN=ms-RADIUS-FramedIpv6Prefix,CN=Schema,CN=Configuration,DC=<PATH>[,DC=<PATH>, ...]' -Replace @{rangeUpper=43} -Server <SCHEMA-ROOT-DC>
## Verify
Get-ADObject -filter * -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | where Name -like "ms-RADIUS-FramedIpv6Prefix"

4. The AD user attribute msRADIUS-FramedIpv6Prefix can now be populated with the desired IPv6 address (as a string with the prefix length /128). Example:

2001:db8:eff::1/128