Solved: Anyconnect user static IP

charleseapen · ‎01-11-2021

Guys, looking for DC-DR static IP solution for Anyconnect VPN clients.

Current architecture is

Anyconnect <> DC ASA <> DC ISE <> Corp AD

Anyconnect user gets a static IP. IP is binded to static IP properties of AD user in Dial-in Tab.

DC ISE fetches this IP (192.168.31.x range) and passes on to the user. Till now it's working perfectly.

Now, we are setting up another ASA in DR, now the architecture becomes;

Anyconnect <> DR ASA <> DR ISE <> Corp AD

this time the anyconnect user should get IP in the range 172.16.x.x range.

Anyone any idea how this can be worked out. AD user properties lets store only one IP address.

Rob Ingram · ‎01-13-2021

@charleseapen Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.

msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.

HTH

View solution in original post

Mohammed al Baqari · ‎01-11-2021

Hi,

This is not possible using AD Dial-In option. You need to assign the static
IPs using ISE (Frame-IP) on a per user basis or use an external DHCP for
your IP Pool and bind using MAC addresses. But from AD, you can't have more
than one static IP.

One solution you can try is to have two OUs in AD with duplicate users but
having different static IPs. Then your ISE nodes in Active/DR should point
to their respective OUs. This makes active ISE validate with Active OU and
get Active static IPs and DR ISE validate DR OU and get DR static IPs.

I will go for ISE option of allocating IPs as this is the best option but
its your call.

***** please remember to rate useful posts

charleseapen · ‎01-12-2021

Thank you @Mohammed al Baqari

I think the feasible option is " assign the static IPs using ISE (Frame-IP) on a per user basis". Question is how do we assign static IP in ISE for an AD user.

Mohammed al Baqari · ‎01-12-2021

Hi,

You match the username in the authorization policy and in the authorization
profile assign framed-ip attribute.

**** please remember to rate useful posts

Rob Ingram · ‎01-12-2021

@charleseapen

Perhaps you could use dynamic variable substitution, example here. Add the IP address to an unused AD attribute, such as "pager" for each user. Create a new AuthZ profile, referencing the attribute. Use this AuthZ profile for sessions from the DR ASA.

charleseapen · ‎01-12-2021

Thank you @Rob Ingram let me test this.

Rob Ingram · ‎01-13-2021

@charleseapen Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.

msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.

HTH

View solution in original post

charles07 · ‎01-14-2021

Thank you @Rob Ingram It worked like a charm.