Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
5
Replies

Fixed IP address from AD attribute for WLAN and wired (Framed IP)

advuni-af1
Level 1
Level 1

‎01-17-2025 05:22 AM

Hello everyone,

I have the requirement that a customer wants to define fixed IPs for users, as these IPs are to be used in the firewall. Identity based networking on IP basis. For SSL VPN access, these IPs are read from Active Directory attributes of the users. Here is the setup Fortinet --> Radius to ISE --> AD Auth with Framed IP return --> Framed IP from ISE to Fortinet via Access Accept --> SSLVPN Adapter gets the IP assigned.
My question now is, is this also possible for “normal” network adapters in the WLAN and wired area. Can I also give the network cards IP information via AD attributes and the Access Accept? As in the SSLVPN area? Is that possible?
The current DHCP server for the WLAN area runs on the IOS XE WLC. It also works perfectly. I have looked into the DHCP proxy function. I haven't really got to grips with it yet. Do I have to use this proxy function? Or am I on the wrong track?
I would be grateful for any input.

Best regards, Alex...

1 person had this problem
0 Helpful
5 Replies 5

M02@rt37
VIP
VIP

‎01-17-2025 05:56 AM

Hello @advuni-af1 

Yes, it's possible to assign fixed IP addresses to users in wired and wireless environments based on Active Directory attributes, similar to how it is done for SSL VPN access.

This could be achieved using the Framed-IP-Address attribute in the RADIUS Access-Accept message. When users authenticate via 802.1X, the RADIUS server (ISE in your setup) can retrieve the IP address from an AD attribute (e.g., msRADIUSFramedIPAddress) and include it in the Access-Accept response. The access device, such as a switch or WLC, can then enforce this IP assignment.

However, unlike SSL VPNs where the IP address is directly assigned to the VPN adapter, wired and wireless networks rely on DHCP for IP address allocation. To ensure the correct IP is assigned, there must be coordination between the access device, the RADIUS server, and the DHCP server. In your setup, since the DHCP server for WLAN runs on the IOS XE WLC, enabling the DHCP Proxy feature can facilitate this coordination. The DHCP Proxy function allows the WLC to relay DHCP requests to a central DHCP server while ensuring that the RADIUS-assigned Framed-IP-Address is honored.

Other way, you could use static DHCP reservatios on the DHCP server based on MAC addresses to assign fixed IPs to devices. While this method does not require RADIUS, it diverges from an identity-based networking model and lacks the flexibility of assigning IPs dynamically based on user identity. Configuring static IPs directly on client devices is another option but is not scalable or practical for large deployments....

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

advuni-af1
Level 1
Level 1
In response to M02@rt37

‎01-20-2025 01:59 AM

Hi M02@rt37,
thanks for your answer. I understand it so also. But what is the right process for it? When I do authentication in WLAN with 802.1X I get the certificate to ISE, do the authentication against the AD, get the user. All fine. In the response from AD I get the right IP for the user. Works also. In the Access Accept Result I deliver the IP from AD Attribute in the result. This all works fine. But now, how ist the process. The client didn't recognize the IP from Access Accept result and do a normal DHCP request. And gets an IP from DHCP. When I now configure a DHCP scope with proxy feature, the DHCP sends an AAA package to the ISE. There I have to provide a user in the DHCP Scope for authentication against the ISE. How do I achieve, that this DHCP request from WLC to ISE use the session information for the user/device, which request the IP? Or is this the wrong process?
Best regards
Alex...
 
 
 
 
 
 
 
0 Helpful

Devaa
Spotlight
Spotlight

‎01-17-2025 06:39 AM - edited ‎01-17-2025 09:03 AM

Also, you can assign ports to different VLAN for different users using 802.1x and allow policies in firewall based on VLAN subnet. 

Alternatively try to add firewall rules based on AD identity directly. 

Cisco ASA Series Firewall CLI : Identity Firewall

ASA: IDFW (Identity Firewall) Step by Step configuration

0 Helpful

MHM Cisco World
VIP
VIP

‎01-17-2025 06:45 AM

I dont think so' 

Ssl vpn need user to have IP public IP or private IP to connect to VPN GW' 

Then AD will provide additional IP (private) for RA VPN.

Here ssl vpn need to connect to ssid get IP then authc to vpn GW and get new IP' 

New IP is encapsulate inside first IP it get from wlc dhcp.

MHM

0 Helpful

advuni-af1
Level 1
Level 1

‎01-20-2025 06:45 AM

Hi M02@rt37,
thanks for your answer. I understand it so also. But what is the right process for it? When I do authentication in WLAN with 802.1X I get the certificate to ISE, do the authentication against the AD, get the user. All fine. In the response from AD I get the right IP for the user. Works also. In the Access Accept Result I deliver the IP from AD Attribute in the result. This all works fine. But now, how ist the process. The client didn't recognize the IP from Access Accept result and do a normal DHCP request. And gets an IP from DHCP. When I now configure a DHCP scope with proxy feature, the DHCP sends an AAA package to the ISE. There I have to provide a user in the DHCP Scope for authentication against the ISE. How do I achieve, that this DHCP request from WLC to ISE use the session information for the user/device, which request the IP? Or is this the wrong process?
Best regards
Alex...
0 Helpful
Customers Also Viewed These Support Documents