Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1859
Views
5
Helpful
5
Replies

Framed-Route via Cisco ISE for 2000+ endpoints

cisco_sec_geek
Level 1
Level 1

‎10-28-2019 01:21 AM - edited ‎10-28-2019 01:22 AM

One of my client are rolling out LTE devices (IMSI) and would like to use ISE as Radius and push 4 IP addresses in the form of framed-route.

Radius attribute = 22

How do we setup ISE to push /29 Framed-Route every time an LTE device (IMSI) comes online.

Every IMSI will have an unique IP, in addition it needs another minimum 4 IP addresses for 4 different applications.

Not sure, how to define AuthC and AuthZ Policy on ISE to support this.

We are talking around 2000 devices.

 

Thank you in advance for your help.

Cheers

Sanjay

1 person had this problem
0 Helpful
5 Replies 5

howon
Cisco Employee
Cisco Employee

‎10-28-2019 10:22 PM

I am not familiar with IMSI, but is it going to be specific 4 IPs given an endpoint or does it needs to be assigned from a pool? If former, then based on identity one could send back the 4 IPs as it connects. But, mapping of identity and the 4 IPs needs to be maintained within ISE. As I never worked with IMSI, I can't comment on which can be used for identity. If latter, then there is currently no way to do this natively.

0 Helpful

Arne Bier
VIP
VIP

‎10-30-2019 04:57 AM

Hi

 

I can relate a similar customer use case where a Cisco ISE router has a cellular modem and when this modem is activated to the ISP, the ISP makes a RADIUS request to ISE to authenticate the IMSI (Mobile SIM ID). The authentication is a simple PAP auth and we return some values like Framed IP address and default gateway etc.

 

The question is: where do you want to store the mapping of IMSI --> IP attributes? Easiest answer ... by using ISE Internal User Database.  Create your IMSI users, and then assign custom attributes to them - e.g.

custom.png

YOu can also exract all this from AD or LDAP or ODBC.

 

The Authorization results will look something like this

radius2.PNG

Lam Hung Chung
Level 1
Level 1
In response to Arne Bier

‎06-30-2020 09:38 PM

Thank you Arne. This is helpful. I configured ISE with these customer attributes. I can see that the Framed-IP-Address works. But Framed-Route doesn't work.

 

I defined Framed-Route as "String" and give it a value in two formats. But none of them worked.

Format 1: 10.1.1.0/24

Format 2: 10.1.1.0/24 0.0.0.0 1

 

The second one is following RFC recommendation. Now, I'm not sure what's next. Can you please give more detailed information on how to configure Framed-Route on ISE 2.3?

0 Helpful

Arne Bier
VIP
VIP
In response to Lam Hung Chung

‎07-01-2020 03:58 PM

String is correct. Have a look at the example for IOS devices, check out the debug in link below. 

IOS example 

0 Helpful

Lam Hung Chung
Level 1
Level 1
In response to Arne Bier

‎07-01-2020 04:55 PM

Thank you for the confirmation.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents