Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1982
Views
10
Helpful
6
Replies

็How can configure ISE for FIX 2 IP for 1 Users

Go to solution
jewfcb001
Level 4
Level 4

‎11-25-2020 04:55 AM - edited ‎11-25-2020 04:55 AM

Hi All ,

I try to configure Cisco ISE Static IP for User VPN(User Custom Attributes) . It's working fine . But  If I need to configure fix 2 IP Address for 1 User .I'm not sure how can do it for this situation and condition on Cisco ISE. 

 

Please advise me .

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to jewfcb001

‎11-29-2020 07:47 PM

Definitely

 

Create two Authorization Profiles, which include the custom IP address attributes (and anything else you need)

 

Authorization Profile VPN_NAS1:

VPNNAS1.PNG

 

 

 

And the other one - VPN_NAS2:

VPNNAS2.PNG

 

And then use them in the Authorization Policy

policy1.PNG

 

 

 

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎11-29-2020 06:25 PM

@jewfcb001 - how does this work in theory? What is the 2nd IP address used for? Can you give more details about this?

 

As you already found out, you can return custom attributes when internal ISE users are authenticated. The question I have is

  • Does this user always need 2 fixed IP addresses?
  • or ... do you need to assign a different IP address for the same user, but under different conditions? (e.g. user bob needs IP:10.10.10.1 when connecting from location A, and IP: 20.20.20.1 when connecting from location B)
0 Helpful

Go to solution
jewfcb001
Level 4
Level 4

‎11-29-2020 07:00 PM

@Arne Bier 

or ... do you need to assign a different IP address for the same user, but under different conditions? (e.g. user bob needs IP:10.10.10.1 when connecting from location A, and IP: 20.20.20.1 when connecting from location B

    Yes , It's my objective. I found user custom attributes and I can configure many attribute for Static  IP address . I think I can use this option for my objective and configure this option on authorization for seperate location.. Please advise me again .

 ise.pngise2.png

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jewfcb001

‎11-29-2020 07:19 PM - edited ‎11-29-2020 07:20 PM

Sadly ISE is not flexible in that way. If the user is successfully authenticated, then ISE will make those custom attributes available to you in your Authorization Profile - but you cannot be conditional about it.

 

One way around this would be to create two Authorization Rules with matching Authorization Profiles - and then to return the correct Authorization Profile depending on the Authorization logic that you're using. Is that scalable for you?

 

Example Authorization Profile below (which returns both IPs - of course this is non-sensical - the NAS can only handle (the last) one)

ipaddr.png

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4

‎11-29-2020 07:24 PM

@Arne Bier 

 I will use 2 authorize profile and use NAS condition for seperate Static IP. 

 

what do you think? Is it possible ?

Go to solution
Arne Bier
VIP
VIP
In response to jewfcb001

‎11-29-2020 07:47 PM

Definitely

 

Create two Authorization Profiles, which include the custom IP address attributes (and anything else you need)

 

Authorization Profile VPN_NAS1:

VPNNAS1.PNG

 

 

 

And the other one - VPN_NAS2:

VPNNAS2.PNG

 

And then use them in the Authorization Policy

policy1.PNG

 

 

 

Go to solution
jewfcb001
Level 4
Level 4

‎11-29-2020 08:03 PM

@Arne Bier 

 

Thank you for the answer . I will try in my lab . I think this solution good for me . 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents