Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4700
Views
20
Helpful
7
Replies

Anyconnect user static IP

Go to solution
manvik
Level 3
Level 3

‎01-11-2021 10:23 PM

Guys, looking for DC-DR static IP solution for Anyconnect VPN clients.

Current architecture is 

Anyconnect <> DC ASA <> DC ISE <> Corp AD

 

Anyconnect user gets a static IP. IP is binded to static IP properties of AD user in Dial-in Tab.

AD-statIP.png

DC ISE fetches this IP (192.168.31.x range) and passes on to the user. Till now it's working perfectly.

 

Now, we are setting up another ASA in DR, now the architecture becomes;

Anyconnect <> DR ASA <> DR ISE <> Corp AD

this time the anyconnect user should get IP in the range 172.16.x.x range.

 

Anyone any idea how this can be worked out. AD user properties lets store only one IP address.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to manvik

‎01-13-2021 05:34 AM - edited ‎01-13-2021 05:44 AM

@manvik Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.

 

4.PNG1.PNG3.PNG2.PNG5.PNG

msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.


HTH

View solution in original post

7 Replies 7

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-11-2021 11:12 PM

Hi,

This is not possible using AD Dial-In option. You need to assign the static
IPs using ISE (Frame-IP) on a per user basis or use an external DHCP for
your IP Pool and bind using MAC addresses. But from AD, you can't have more
than one static IP.

One solution you can try is to have two OUs in AD with duplicate users but
having different static IPs. Then your ISE nodes in Active/DR should point
to their respective OUs. This makes active ISE validate with Active OU and
get Active static IPs and DR ISE validate DR OU and get DR static IPs.

I will go for ISE option of allocating IPs as this is the best option but
its your call.

***** please remember to rate useful posts
0 Helpful

Go to solution
manvik
Level 3
Level 3
In response to Mohammed al Baqari

‎01-12-2021 09:03 PM

Thank you @Mohammed al Baqari 

I think the feasible option is " assign the static IPs using ISE (Frame-IP) on a per user basis". Question is how do we assign static IP in ISE for an AD user.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to manvik

‎01-12-2021 09:47 PM

Hi,

You match the username in the authorization policy and in the authorization
profile assign framed-ip attribute.

**** please remember to rate useful posts
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-12-2021 12:07 AM - edited ‎01-12-2021 12:07 AM

@manvik 

Perhaps you could use dynamic variable substitution, example here. Add the IP address to an unused AD attribute, such as "pager" for each user. Create a new AuthZ profile, referencing the attribute. Use this AuthZ profile for sessions from the DR ASA.

Go to solution
manvik
Level 3
Level 3
In response to Rob Ingram

‎01-12-2021 09:04 PM

Thank you @Rob Ingram let me test this.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to manvik

‎01-13-2021 05:34 AM - edited ‎01-13-2021 05:44 AM

@manvik Out of curiousity and to confirm my thoughts, I've tested it and it works as expected.

 

4.PNG1.PNG3.PNG2.PNG5.PNG

msRADIUSFramedIPAddress just relates to the attribute under the Dial-in tab in AD, it seems you can use any attribute under the users account in AD, as long as you import them into ISE. I imagine you could use custom schema attributes also.


HTH

Go to solution
charles07
Level 1
Level 1
In response to Rob Ingram

‎01-14-2021 05:58 AM

Thank you @Rob Ingram It worked like a charm.

Top