Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2609
Views
5
Helpful
4
Replies

Need to use ISE DHCP for my VPN users

Go to solution
joseph.williams@atos.net
Level 1
Level 1

‎12-30-2019 11:57 AM

I have several groups of people using my VPN. They all go to different areas of my network. I want to assign them different DHCP scopes on ISE for their login (right now, anyconnect cannot get beyond a RADIUS acceptance for the network but cannot get an IP address).

 

I have a couple of scopes built on ISE under DHCP & DNS services.

Please note, I do NOT want to allow any other devices to pick up ip addresses here.

 

I also have a microsoft DHCP server. I could go there but another engineer is forcing all the users into one tunnel group so ip helper wont work there (I don't think).

HELP!!!!

Thaks

Joe W

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎01-01-2020 08:25 PM

@Mike.Cifelli wrote:
Why not use the ASA/VPN box to locally distribute IPs accordingly? Or have you considered utilizing AD and specific attributes such as msRADIUSFramedIPAddress to issue IPs? Only issue with option two I think is that it would be a static non-dynamic IP at all times.

ISE DHCP Services is not a solution for this, its not scaled designed or tested for this use case. 

 

See this thread as well? 

https://community.cisco.com/t5/identity-services-engine-ise/need-to-get-a-dhcp-address-from-a-internal-dhcp-server-for-my/m-p/4005349#M33120

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-31-2019 06:30 AM

Why not use the ASA/VPN box to locally distribute IPs accordingly? Or have you considered utilizing AD and specific attributes such as msRADIUSFramedIPAddress to issue IPs? Only issue with option two I think is that it would be a static non-dynamic IP at all times.

Go to solution
joseph.williams@atos.net
Level 1
Level 1
In response to Mike.Cifelli

‎12-31-2019 02:23 PM

Sorry, none of the devices are on AD. they are ALL external users who do not have our AD attributes.

I have tried to use the ASA/VPN Box. I defined all of the scopes (12) and pointed the local-groups to them however I still get nothing.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎01-01-2020 08:25 PM

@Mike.Cifelli wrote:
Why not use the ASA/VPN box to locally distribute IPs accordingly? Or have you considered utilizing AD and specific attributes such as msRADIUSFramedIPAddress to issue IPs? Only issue with option two I think is that it would be a static non-dynamic IP at all times.

ISE DHCP Services is not a solution for this, its not scaled designed or tested for this use case. 

 

See this thread as well? 

https://community.cisco.com/t5/identity-services-engine-ise/need-to-get-a-dhcp-address-from-a-internal-dhcp-server-for-my/m-p/4005349#M33120

0 Helpful

Go to solution
xuxiaoxunlxl
Level 1
Level 1
In response to Jason Kunst

‎05-24-2021 01:49 AM

Can ISE dhcp network-scop fulfill this requirement?

0 Helpful
Customers Also Viewed These Support Documents