topic Re: Set Static IP to Anyconnect user using ISE in Network Access Control

Set Static IP to Anyconnect user using ISE

srijan — Fri, 21 Feb 2020 18:52:27 GMT

Hi, in our production environment, RA users connects to network using Anyconnect (Authentication via PKI cert and ISE - AD integrated). Requirement here is for one user, he needs to be assigned the same IP everytime he connects using VPN. We do have a policy in ISE, if the username matches(which is obtained from the certificate), framed-ip-address and framed mask address attributes are set to an IP address (assume: 10.10.10.15) and its equivalent netmask. This also falls within the range that is defined in ASA - dhcp-network-scope. Whenever the user connects, it picks the default policy like any other user but not this. Any suggestions how to troubleshoot. Is there something that I am missing.

Re: Set Static IP to Anyconnect user using ISE

Rob Ingram — Sat, 31 Mar 2018 10:59:18 GMT

Hi,

This seems to be what you are looking for.

Re: Set Static IP to Anyconnect user using ISE

Rahul Govindan — Mon, 02 Apr 2018 12:47:01 GMT

Do you have the "vpn-addr-assign aaa" command enabled? This enables a AAA server to assign ip address to a user. I do not think this is enabled by default.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html#pgfId-1663263

Re: Set Static IP to Anyconnect user using ISE

srijan — Mon, 02 Apr 2018 13:12:17 GMT

Thanks RJI and Rahul.

I will check this when I get to work today.

Hi Rahul,

Assuming I don't have this already set (vpn-addr-assign aaa) and I add it to the config today.

Here, I am more concerned about just this one user, say user1, who should get this static IP. The rest of the employees should get IP released from the DHCP, as it is happening currently. Will this change (vpn-addr-assign aaa) have any impact on the other users.

Hi RJI,

this issue started since we changed our certificate vendor is what we assume. Because the user did not report the issue when it actually stopped working, he took months before bringing it to us. It was working fine without the Dial-In settings in AD as suggested in the link provided by you. However, I will take a look at it today and update you folks on the status.

Thank you for the inputs.

Re: Set Static IP to Anyconnect user using ISE

Rahul Govindan — Mon, 02 Apr 2018 22:18:45 GMT

You can have both enabled. If I recall, aaa should have a higher precedence over dhcp. I would open a Cisco TAC case to confirm this as I could find no external doc on this.

And although the command reference says that there is no default value for this, another doc says that it is enabled by default. You might want to check "show run all vpn-addr-assign" before making changes.