11-25-2020 04:55 AM - edited 11-25-2020 04:55 AM
Hi All ,
I try to configure Cisco ISE Static IP for User VPN(User Custom Attributes) . It's working fine . But If I need to configure fix 2 IP Address for 1 User .I'm not sure how can do it for this situation and condition on Cisco ISE.
Please advise me .
Solved! Go to Solution.
11-29-2020 07:47 PM
Definitely
Create two Authorization Profiles, which include the custom IP address attributes (and anything else you need)
Authorization Profile VPN_NAS1:
And the other one - VPN_NAS2:
And then use them in the Authorization Policy
11-29-2020 06:25 PM
@jewfcb001 - how does this work in theory? What is the 2nd IP address used for? Can you give more details about this?
As you already found out, you can return custom attributes when internal ISE users are authenticated. The question I have is
11-29-2020 07:00 PM
or ... do you need to assign a different IP address for the same user, but under different conditions? (e.g. user bob needs IP:10.10.10.1 when connecting from location A, and IP: 20.20.20.1 when connecting from location B
Yes , It's my objective. I found user custom attributes and I can configure many attribute for Static IP address . I think I can use this option for my objective and configure this option on authorization for seperate location.. Please advise me again .
11-29-2020 07:19 PM - edited 11-29-2020 07:20 PM
Sadly ISE is not flexible in that way. If the user is successfully authenticated, then ISE will make those custom attributes available to you in your Authorization Profile - but you cannot be conditional about it.
One way around this would be to create two Authorization Rules with matching Authorization Profiles - and then to return the correct Authorization Profile depending on the Authorization logic that you're using. Is that scalable for you?
Example Authorization Profile below (which returns both IPs - of course this is non-sensical - the NAS can only handle (the last) one)
11-29-2020 07:24 PM
I will use 2 authorize profile and use NAS condition for seperate Static IP.
what do you think? Is it possible ?
11-29-2020 07:47 PM
Definitely
Create two Authorization Profiles, which include the custom IP address attributes (and anything else you need)
Authorization Profile VPN_NAS1:
And the other one - VPN_NAS2:
And then use them in the Authorization Policy
11-29-2020 08:03 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: