cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1230
Views
5
Helpful
5
Replies
cisco_sec_geek
Beginner

Framed-Route via Cisco ISE for 2000+ endpoints

One of my client are rolling out LTE devices (IMSI) and would like to use ISE as Radius and push 4 IP addresses in the form of framed-route.

Radius attribute = 22

How do we setup ISE to push /29 Framed-Route every time an LTE device (IMSI) comes online.

Every IMSI will have an unique IP, in addition it needs another minimum 4 IP addresses for 4 different applications.

Not sure, how to define AuthC and AuthZ Policy on ISE to support this.

We are talking around 2000 devices.

 

Thank you in advance for your help.

Cheers

Sanjay

5 REPLIES 5
howon
Cisco Employee

I am not familiar with IMSI, but is it going to be specific 4 IPs given an endpoint or does it needs to be assigned from a pool? If former, then based on identity one could send back the 4 IPs as it connects. But, mapping of identity and the 4 IPs needs to be maintained within ISE. As I never worked with IMSI, I can't comment on which can be used for identity. If latter, then there is currently no way to do this natively.

Arne Bier
VIP Advisor

Hi

 

I can relate a similar customer use case where a Cisco ISE router has a cellular modem and when this modem is activated to the ISP, the ISP makes a RADIUS request to ISE to authenticate the IMSI (Mobile SIM ID). The authentication is a simple PAP auth and we return some values like Framed IP address and default gateway etc.

 

The question is: where do you want to store the mapping of IMSI --> IP attributes? Easiest answer ... by using ISE Internal User Database.  Create your IMSI users, and then assign custom attributes to them - e.g.

custom.png

YOu can also exract all this from AD or LDAP or ODBC.

 

The Authorization results will look something like this

radius2.PNG

Thank you Arne. This is helpful. I configured ISE with these customer attributes. I can see that the Framed-IP-Address works. But Framed-Route doesn't work.

 

I defined Framed-Route as "String" and give it a value in two formats. But none of them worked.

Format 1: 10.1.1.0/24

Format 2: 10.1.1.0/24 0.0.0.0 1

 

The second one is following RFC recommendation. Now, I'm not sure what's next. Can you please give more detailed information on how to configure Framed-Route on ISE 2.3?

String is correct. Have a look at the example for IOS devices, check out the debug in link below. 

IOS example 

Thank you for the confirmation.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube