07-17-2019 03:44 AM - edited 07-17-2019 03:45 AM
Hi board,
I want to build an AnyConnect SSL based VPN solution for clients.
It should be possible to assign static IPv4 and IPv6 addresses for the clients.
I'm using ISE 2.4
For IPv4 this is not a problem:
1.) ISE: Add AD attribute "msRADIUSFramedIPAddress" and set the type to IP
2.) ISE: Create an authorization profile with the following advanced attributes and use it in an authorization rule
Radius:Framed-IP-Address = AD:msRADIUSFramedIPAddress
3.) In the AD, add the desired static IPv4 address to the user object (AD users and groups snap-in > User object > Dial-In > Assign static IP addresses > Assign a static IPv4 address)
==> Done: AnyConnect client is assigned the desired static IPv4
For IPv6 this is a problem:
It's not documented anywhere, but the ASA supports the RADIUS attribute Framed-IPv6-Prefix (97). This was tested by creating an authorization profile with the following advanced attributes and use it in an authorization rule:
Radius:Framed-IPv6-Prefix = 2001:db8:eff::1/128
==> No problem on ASA side
What I want to achive, that the static IPv6 address may be maintained in the AD as well. There is even an AD attribute for that:
msRADIUS-FramedIpv6Prefix (String)
So, same approach as for IPv4 here:
1.) ISE: Add AD attribute "msRADIUS-FramedIpv6Prefix" and set the type to ????
==> There is no IPv6 data type (only INT, STRING, IP, OCTET_STRING, BOOLEAN)
==> Let's try "String", because the value is a string in the AD :)
2.) ISE: Create an authorization profile with the following advanced attributes and use it in an authorization rule
Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix
When I want to save the authorization profile, an error pops up:
In ISE 2.4 I cannot change the type in the attribute to IPV6PREFIX. As I already mentioned above only INT, STRING, IP, OCTET_STRING and BOOLEAN are possible.
Question 1: Does someone know if this should work (is it supported) or if I'm doing something wrong here?
Question 2: If this is not supported (or a bug), does someone know if this behavior changes in ISE 2.6? A lot of IPv6 specific features were added to 2.6, but I couldn't find anything in the release notes.
Any other ideas?
Solved! Go to Solution.
07-17-2019 05:42 AM - edited 07-17-2019 05:47 AM
Framed-IPv6-Address would work but not Framed-IPv6-Prefix with a string type in RHS. I've filed CSCvq56196 for this.
07-17-2019 05:42 AM - edited 07-17-2019 05:47 AM
Framed-IPv6-Address would work but not Framed-IPv6-Prefix with a string type in RHS. I've filed CSCvq56196 for this.
07-17-2019 06:32 AM
Hey Surendra,
thanks for the feedback. The bug is not viewable yet, but I had a TAC case regarding the ASA side and the ASA does only support Framed-IPv6-Prefix
07-18-2019 04:18 AM
Hi Surendra,
thank you for filing this bug. It's viewable now and exactely highlights the problem.
Funny fact is, that the ASA documentation beginning with 9.12 is fixed as well, because previously the IPv6 static address "problem" was not covered there.
Although the documentation has still a tiny bug (Attribute 97 is Framed-IPv6-Prefix and not Framed-IPv6-Address), the ASA documentation also states, that the attribute should be represented as a string.
Again: Thank you for this!!!!
07-18-2019 06:02 AM - edited 07-18-2019 06:03 AM
Just a side node (that it's documented somewhere and perhaps it helps)
In Active Directory (2016 standard schema) the attribute msRADIUS-FramedIpv6Prefix is limited to 16 characters
The attribute msRADIUS-FramedInterfaceId is limited to 8 characters
==> 16 + 8 is not a full IPv6 address ...
ARGH!!!!
07-18-2019 03:21 PM
Well done for persevering on your IPv6 journey. Maybe this thing will get off the ground in the next 15 years :-(
07-14-2020 09:55 PM
Status update: Problem solved with ISE 2.4 Patch 11 and with the help by Microsoft
Quick howto:
1. Add the AD attribute msRADIUS-FramedIpv6Prefix an an external identity store attribute (Datatype IP)
2. Use the following authorization action
Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix
3. In the current Windows server versions, the schema needs to be extended, because the msRADIUS-FramedIpv6Prefix is not long enough. Here's a PowerShell snippet do do that
# msRADIUS-FramedIpv6Prefix rangeupper = 43 ## Check current settings Get-ADObject -filter * -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | where Name -like "ms-RADIUS-FramedIpv6Prefix" ## Set new rangeupper Set-ADObject -Identity 'CN=ms-RADIUS-FramedIpv6Prefix,CN=Schema,CN=Configuration,DC=<PATH>[,DC=<PATH>, ...]' -Replace @{rangeUpper=43} -Server <SCHEMA-ROOT-DC> ## Verify Get-ADObject -filter * -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | where Name -like "ms-RADIUS-FramedIpv6Prefix"
4. The AD user attribute msRADIUS-FramedIpv6Prefix can now be populated with the desired IPv6 address (as a string with the prefix length /128). Example:
2001:db8:eff::1/128
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide