topic ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA in Network Access Control

ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

startx001 — Wed, 31 Oct 2018 16:12:32 GMT

Hi all .

I have specific situation/problem for Anyconnect VPN static ip assignment. -it does not work

Anyconnect 4.6 client

ASA 9.4.4 interim

Authentication with cetificate

Authorization with Posture check .

1. Users Authenicate on ASA with certificate , get dhcp from ASA (defined in section Anyconnect Client Profile -> Client Address Assigment -> DHCP Servers:)

2. Then users goes to authorization process with posture and if he is compliant, then apply access to network and apply static ip address address with rule

Access Type = ACCESS_ACCEPT
DACL = Anyconnect-Compliant
Framed-IP-Address = 10.250.200.193

I also tried with feching attribute from AD(what would be better solution) but situation is the same

Access Type = ACCESS_ACCEPT
DACL = Anyconnect-Compliant
Framed-IP-Address = AD:extensionAttribute13

1. Can system coexist with dhcp assignment and static ip assignment (users that dont need static ip on vpn need to get ip from dhcp)

2. How to assign static ip to users from AD , and when? Since i do authentication on ASA with cert , can be ip address be changed from DHCP to static with auth profile after posture process is complete or it need to be done on ASA when authentication process is underway ?

3. If under auhentication process - then how to combo ip address assignment with dhcp and ASA -> AD per user static ?

I hope someone know to solve this , because today TAC helped little but still cant solve.

Thanks

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

pan — Wed, 31 Oct 2018 16:57:24 GMT

Do you want to give specific IP address to users from ISE?

Does assigning IP address with Framed-IP-Address = 10.250.200.193 work for you ?

Assigning IP address with Framed-IP-Address = AD:extensionAttribute13 is not working?

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

hslai — Thu, 01 Nov 2018 02:15:39 GMT

Please review the chapter IP Addresses for VPNs in Cisco ASA VPN CLI Configuration Guide.

Also, a related discussion -- Set Static IP to Anyconnect user using ... - Cisco Community

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

startx001 — Thu, 01 Nov 2018 08:47:11 GMT

Hi Pan,

Do you want to give specific IP address to users from ISE?

- Yes in the way, that i match attribute13 from AD with authorization policy after posture process. If this cant be a option since authentication is done on ASA with Cert , then please advise .

Does assigning IP address with Framed-IP-Address = 10.250.200.193 work for you ?

- No it does not work.

Assigning IP address with Framed-IP-Address = AD:extensionAttribute13 is not working?

- Yes it does not working, please look at case number SR 685357314 from yesterday if you have access.

- There is a cosmetic bug, when i put that ISE mark AD:extensionAttribute13 with red (as it is not correct value) but allow to config be saved. In report log i see that attribute is unavailabe.

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

startx001 — Thu, 01 Nov 2018 08:49:42 GMT

HI hslai,

I already read those documents , but it does not help.

On ASA with version 9.4.4 i already have config "vpn-addr-assign aaa"

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

hslai — Thu, 01 Nov 2018 15:59:52 GMT

Does assigning IP address with Framed-IP-Address = 10.250.200.193 work for you ?

- No it does not work.

I am now believing this expected. When this CoA feature added in ASA for ISE Posture enforcements on Remote Access VPN users, the policy elements CoA updates are not supported are:

VLAN assignment
IP address assignment

Instead, please use those supported, such as dynamic ACL (dACL) and security group tag (SGT).

Assigning IP address with Framed-IP-Address = AD:extensionAttribute13 is not working?

- Yes it does not working, please look at case number SR 685357314 from yesterday if you have access.

- There is a cosmetic bug, when i put that ISE mark AD:extensionAttribute13 with red (as it is not correct value) but allow to config be saved. In report log i see that attribute is unavailabe.

Unable to retrieve an AD attribute and the web UI bug are separate issues but would not help with this use case.

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

startx001 — Fri, 02 Nov 2018 00:33:06 GMT

OK,

if Framed-IP-Address = 10.250.200.193 is not working and Framed-IP-Address = AD:extensionAttribute13 is not working

what would be recommended solution ?

I need to assign ip address from ASA ?

Summary:

i need to use certificate authentication, then to give ip address from dhcp pool , and for specific users to assign ip statically.

In authorization to use posture process, dacl for network access.

Thanks

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

hslai — Fri, 02 Nov 2018 01:18:08 GMT

Please work with TAC to come up a good solution for your use case. I am no expert with ASA remote VPN and I read through your case notes and the assigned TAC has been helpful and resolved a couple of your other issues in the same case.

Anyway, I think the static IP assignment could take place at the initial authentication and/or authorization (i.e. before the posture assessment).

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

startx001 — Fri, 02 Nov 2018 10:21:53 GMT

Hi ,

But if the static ip assignment take place at the authorization(i.e. before the posture assessment) then it is CoA, what is not supported under remote VPN, right? becase i already have ip assignment with dhcp from ASA after authentication process.

I will try to find out diffrent aproach for this, but anyway i have this on ACS right now in production and it works fine. Dunno why ISE cant ...

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

hslai — Fri, 02 Nov 2018 14:03:34 GMT

AFAIK, the static IP assignment should be fine during the initial auth and before CoA. The limitation in ASA applies only as part of the CoA push to update the authorization.

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

startx001 — Sun, 04 Nov 2018 10:48:24 GMT

Solved with Local Exception rule in authorization before posture go in place.

Re: ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

JustTakeTheFirstStep — Tue, 08 Dec 2020 10:58:53 GMT

I am experiencing the same problem.
Can you provide a solution how I solved it??