cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

629
Views
20
Helpful
7
Replies
Highlighted
Beginner

Anyconnect user static IP

Guys, looking for DC-DR static IP solution for Anyconnect VPN clients.

Current architecture is 

Anyconnect <> DC ASA <> DC ISE <> Corp AD

 

Anyconnect user gets a static IP. IP is binded to static IP properties of AD user in Dial-in Tab.

AD-statIP.png

DC ISE fetches this IP (192.168.31.x range) and passes on to the user. Till now it's working perfectly.

 

Now, we are setting up another ASA in DR, now the architecture becomes;

Anyconnect <> DR ASA <> DR ISE <> Corp AD

this time the anyconnect user should get IP in the range 172.16.x.x range.

 

Anyone any idea how this can be worked out. AD user properties lets store only one IP address.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

@charleseapen Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.

 

4.PNG1.PNG3.PNG2.PNG5.PNG

msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.


HTH

View solution in original post

7 REPLIES 7
Highlighted
VIP Advisor

Hi,

This is not possible using AD Dial-In option. You need to assign the static
IPs using ISE (Frame-IP) on a per user basis or use an external DHCP for
your IP Pool and bind using MAC addresses. But from AD, you can't have more
than one static IP.

One solution you can try is to have two OUs in AD with duplicate users but
having different static IPs. Then your ISE nodes in Active/DR should point
to their respective OUs. This makes active ISE validate with Active OU and
get Active static IPs and DR ISE validate DR OU and get DR static IPs.

I will go for ISE option of allocating IPs as this is the best option but
its your call.

***** please remember to rate useful posts
Highlighted

Thank you @Mohammed al Baqari 

I think the feasible option is " assign the static IPs using ISE (Frame-IP) on a per user basis". Question is how do we assign static IP in ISE for an AD user.

Highlighted

Hi,

You match the username in the authorization policy and in the authorization
profile assign framed-ip attribute.

**** please remember to rate useful posts
Highlighted
VIP Mentor

@charleseapen 

Perhaps you could use dynamic variable substitution, example here. Add the IP address to an unused AD attribute, such as "pager" for each user. Create a new AuthZ profile, referencing the attribute. Use this AuthZ profile for sessions from the DR ASA.

Highlighted

Thank you @Rob Ingram let me test this.

Highlighted

@charleseapen Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.

 

4.PNG1.PNG3.PNG2.PNG5.PNG

msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.


HTH

View solution in original post

Highlighted

Thank you @Rob Ingram It worked like a charm.

Content for Community-Ad