topic Anyconnect user static IP in Network Access Control

Anyconnect user static IP

manvik — Tue, 12 Jan 2021 06:23:44 GMT

Guys, looking for DC-DR static IP solution for Anyconnect VPN clients.

Current architecture is

Anyconnect <> DC ASA <> DC ISE <> Corp AD

Anyconnect user gets a static IP. IP is binded to static IP properties of AD user in Dial-in Tab.

DC ISE fetches this IP (192.168.31.x range) and passes on to the user. Till now it's working perfectly.

Now, we are setting up another ASA in DR, now the architecture becomes;

Anyconnect <> DR ASA <> DR ISE <> Corp AD

this time the anyconnect user should get IP in the range 172.16.x.x range.

Anyone any idea how this can be worked out. AD user properties lets store only one IP address.

Re: Anyconnect user static IP

Mohammed al Baqari — Tue, 12 Jan 2021 07:12:50 GMT

Hi,

This is not possible using AD Dial-In option. You need to assign the static
IPs using ISE (Frame-IP) on a per user basis or use an external DHCP for
your IP Pool and bind using MAC addresses. But from AD, you can't have more
than one static IP.

One solution you can try is to have two OUs in AD with duplicate users but
having different static IPs. Then your ISE nodes in Active/DR should point
to their respective OUs. This makes active ISE validate with Active OU and
get Active static IPs and DR ISE validate DR OU and get DR static IPs.

I will go for ISE option of allocating IPs as this is the best option but
its your call.

***** please remember to rate useful posts

Re: Anyconnect user static IP

Rob Ingram — Tue, 12 Jan 2021 08:07:32 GMT

@manvik

Perhaps you could use dynamic variable substitution, example here. Add the IP address to an unused AD attribute, such as "pager" for each user. Create a new AuthZ profile, referencing the attribute. Use this AuthZ profile for sessions from the DR ASA.

Re: Anyconnect user static IP

manvik — Wed, 13 Jan 2021 05:03:35 GMT

Thank you @Mohammed al Baqari

I think the feasible option is " assign the static IPs using ISE (Frame-IP) on a per user basis". Question is how do we assign static IP in ISE for an AD user.

Re: Anyconnect user static IP

manvik — Wed, 13 Jan 2021 05:04:01 GMT

Thank you @Rob Ingram let me test this.

Re: Anyconnect user static IP

Mohammed al Baqari — Wed, 13 Jan 2021 05:47:50 GMT

Hi,

You match the username in the authorization policy and in the authorization
profile assign framed-ip attribute.

**** please remember to rate useful posts

Re: Anyconnect user static IP

Rob Ingram — Wed, 13 Jan 2021 13:44:54 GMT

@manvik Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.

msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.

HTH

Re: Anyconnect user static IP

charles07 — Thu, 14 Jan 2021 13:58:58 GMT

Thank you @Rob Ingram It worked like a charm.