3.) In the AD, add the desired static IPv4 address to the user object (AD users and groups snap-in > User object > Dial-In > Assign static IP addresses > Assign a static IPv4 address)
==> Done: AnyConnect client is assigned the desired static IPv4
For IPv6 this is a problem:
It's not documented anywhere, but the ASA supports the RADIUS attribute Framed-IPv6-Prefix (97). This was tested by creating an authorization profile with the following advanced attributes and use it in an authorization rule:
Radius:Framed-IPv6-Prefix = 2001:db8:eff::1/128
==> No problem on ASA side
What I want to achive, that the static IPv6 address may be maintained in the AD as well. There is even an AD attribute for that:
msRADIUS-FramedIpv6Prefix (String)
So, same approach as for IPv4 here:
1.) ISE: Add AD attribute "msRADIUS-FramedIpv6Prefix" and set the type to ???? ==> There is no IPv6 data type (only INT, STRING, IP, OCTET_STRING, BOOLEAN)
==> Let's try "String", because the value is a string in the AD :)
2.) ISE: Create an authorization profile with the following advanced attributes and use it in an authorization rule
Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix
When I want to save the authorization profile, an error pops up:
Unable to edit Authorization Profile (TEST) : Datatypes are mismatching for Radius:Framed-IPv6-Prefix(IPV6PREFIX) and AD:msRADIUS-FramedIpv6Prefix(STRING)
In ISE 2.4 I cannot change the type in the attribute to IPV6PREFIX. As I already mentioned above only INT, STRING, IP, OCTET_STRING and BOOLEAN are possible.
Question 1: Does someone know if this should work (is it supported) or if I'm doing something wrong here?
Question 2: If this is not supported (or a bug), does someone know if this behavior changes in ISE 2.6? A lot of IPv6 specific features were added to 2.6, but I couldn't find anything in the release notes.
thank you for filing this bug. It's viewable now and exactely highlights the problem.
Funny fact is, that the ASA documentation beginning with 9.12 is fixed as well, because previously the IPv6 static address "problem" was not covered there.
Although the documentation has still a tiny bug (Attribute 97 is Framed-IPv6-Prefix and not Framed-IPv6-Address), the ASA documentation also states, that the attribute should be represented as a string.
Status update: Problem solved with ISE 2.4 Patch 11 and with the help by Microsoft
Quick howto:
1. Add the AD attribute msRADIUS-FramedIpv6Prefix an an external identity store attribute (Datatype IP)
2. Use the following authorization action
Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix
3. In the current Windows server versions, the schema needs to be extended, because the msRADIUS-FramedIpv6Prefix is not long enough. Here's a PowerShell snippet do do that
# msRADIUS-FramedIpv6Prefix rangeupper = 43
## Check current settings
Get-ADObject -filter * -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | where Name -like "ms-RADIUS-FramedIpv6Prefix"
## Set new rangeupper
Set-ADObject -Identity 'CN=ms-RADIUS-FramedIpv6Prefix,CN=Schema,CN=Configuration,DC=<PATH>[,DC=<PATH>, ...]' -Replace @{rangeUpper=43} -Server <SCHEMA-ROOT-DC>
## Verify
Get-ADObject -filter * -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | where Name -like "ms-RADIUS-FramedIpv6Prefix"
4. The AD user attribute msRADIUS-FramedIpv6Prefix can now be populated with the desired IPv6 address (as a string with the prefix length /128). Example:
2001:db8:eff::1/128
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
