Solved: Assign static IP address to ASA VPN clients by ISE - Page 2

y.lo · ‎09-09-2013

We are going to integrate ASA remote access VPN service with a new ISE 1.2.

The authentication is done against Active directory. After the authentication, can static IP address be assigned to a specific VPN user by ISE?

That means the same VPN user will always get the same IP address. Thanks.

Muhammad Munir · ‎09-11-2013

Hi

The DNS probe in your Cisco ISE deployment, when enabled, allows the profiler to lookup an endpoint, and get the fully qualified domain name (FQDN) of that endpoint. A DNS lookup tries to determine the endpoint fully qualified domain name. Upon an endpoint detection on your Cisco ISE enabled network, a list of endpoint attributes is collected from the NetFlow, DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP probes. For a DNS lookup, one of the following probes must be started along with the DNS probe: DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP.

The following list shows the specific endpoint attribute, and the probe that collects the attribute:

• The dhcp-requested-address attribute—an attribute collected by the DHCP, and DHCP SPAN probes

• The SourceIP attribute—an attribute collected by the HTTP probe

• The Framed-IP-Address attribute—an attribute collected by the RADIUS probe

• The cdpCacheAddress attribute—an attribute collected by the SNMP probe

The Cisco ISE implements an ARP cache in the profiling service, so that you can reliably map IP addresses and MAC addresses of endpoints. For the ARP cache to function, you must enable either the DHCP probe or the RADIUS probe. The DHCP and RADIUS probes carry IP addresses and MAC addresses of endpoints in the payload data. The dhcp-requested address attribute in the DHCP probe and the Framed-IP-address attribute in the RADIUS probe carry the IP addresses of endpoints, along with their MAC addresses, which can be mapped and stored in the ARP cache.