This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Guys, looking for DC-DR static IP solution for Anyconnect VPN clients.
Current architecture is
Anyconnect <> DC ASA <> DC ISE <> Corp AD
Anyconnect user gets a static IP. IP is binded to static IP properties of AD user in Dial-in Tab.
DC ISE fetches this IP (192.168.31.x range) and passes on to the user. Till now it's working perfectly.
Now, we are setting up another ASA in DR, now the architecture becomes;
Anyconnect <> DR ASA <> DR ISE <> Corp AD
this time the anyconnect user should get IP in the range 172.16.x.x range.
Anyone any idea how this can be worked out. AD user properties lets store only one IP address.
Solved! Go to Solution.
@charleseapen Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.
msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.
HTH
Thank you @Mohammed al Baqari
I think the feasible option is " assign the static IPs using ISE (Frame-IP) on a per user basis". Question is how do we assign static IP in ISE for an AD user.
Perhaps you could use dynamic variable substitution, example here. Add the IP address to an unused AD attribute, such as "pager" for each user. Create a new AuthZ profile, referencing the attribute. Use this AuthZ profile for sessions from the DR ASA.
@charleseapen Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.
msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.
HTH