Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5033
Views
0
Helpful
11
Replies

ISE 2.4 Anyconnect VPN static IP assigment / DHCP -CoA

Go to solution
startx001
Level 1
Level 1

‎10-31-2018 09:12 AM

Hi all .

I have specific situation/problem for Anyconnect VPN  static ip assignment. -it does not work

 

Anyconnect 4.6 client 

ASA 9.4.4 interim 

Authentication with cetificate 

Authorization with Posture check .

1. Users Authenicate on ASA with certificate , get dhcp from ASA (defined in section Anyconnect Client Profile -> Client Address Assigment -> DHCP Servers:) 

2. Then users goes to authorization process with posture and if he is compliant, then apply access to network and apply static ip address address with rule 

 

Access Type = ACCESS_ACCEPT
DACL = Anyconnect-Compliant
Framed-IP-Address = 10.250.200.193

 

I also tried with feching attribute from AD(what would be better solution) but situation is the same 

 

Access Type = ACCESS_ACCEPT
DACL = Anyconnect-Compliant
Framed-IP-Address = AD:extensionAttribute13

 

1. Can system coexist with dhcp assignment and static ip assignment (users that dont need static ip on vpn need to get ip from dhcp)

2. How to assign static ip to users from AD , and when? Since i do authentication on ASA with cert , can be ip address be changed from DHCP to static with auth profile after posture process is complete or it need to be done on ASA when authentication process is underway ? 

3. If under auhentication process - then how to combo ip address assignment with dhcp and ASA -> AD per user static ?

 

I hope someone know to solve this , because today TAC helped little but still cant solve.

 

Thanks

VZ

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
startx001
Level 1
Level 1
In response to hslai

‎11-04-2018 02:48 AM

Solved with Local Exception rule in authorization before posture go in  place.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
pan
Cisco Employee
Cisco Employee

‎10-31-2018 09:57 AM

Do you want to give specific IP address to users from ISE?

 

Does assigning IP address with Framed-IP-Address = 10.250.200.193 work for you ?

 

Assigning IP address with Framed-IP-Address = AD:extensionAttribute13 is not working?

 

 

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to pan

‎11-01-2018 01:47 AM

Hi Pan,

 

Do you want to give specific IP address to users from ISE?

- Yes in the way, that i match attribute13 from AD with authorization policy after posture process. If this cant be a option since authentication is done on ASA with Cert , then please advise .

 

Does assigning IP address with Framed-IP-Address = 10.250.200.193 work for you ?

- No it does not work.  

 

Assigning IP address with Framed-IP-Address = AD:extensionAttribute13 is not working?

- Yes it does not working, please look at case number SR 685357314 from yesterday if you have access.

- There is a cosmetic bug, when i put that ISE mark AD:extensionAttribute13 with red (as it is not correct value) but allow to config be saved. In report log i see that attribute is unavailabe.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to startx001

‎11-01-2018 08:59 AM

Does assigning IP address with Framed-IP-Address = 10.250.200.193 work for you ?

- No it does not work.  

I am now believing this expected. When this CoA feature added in ASA for ISE Posture enforcements on Remote Access VPN users, the policy elements CoA updates are not supported are:

  • VLAN assignment
  • IP address assignment

Instead, please use those supported, such as dynamic ACL (dACL) and security group tag (SGT). 

 

Assigning IP address with Framed-IP-Address = AD:extensionAttribute13 is not working?

- Yes it does not working, please look at case number SR 685357314 from yesterday if you have access.

- There is a cosmetic bug, when i put that ISE mark AD:extensionAttribute13 with red (as it is not correct value) but allow to config be saved. In report log i see that attribute is unavailabe.

 Unable to retrieve an AD attribute and the web UI bug are separate issues but would not help with this use case.

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to hslai

‎11-01-2018 05:33 PM

OK, 

if Framed-IP-Address = 10.250.200.193 is not working  and Framed-IP-Address = AD:extensionAttribute13 is not working 

what would be recommended solution ? 

I need to assign ip address from ASA ?

Summary:

i need to use certificate authentication, then to give ip address from dhcp pool , and for specific users to assign ip statically.

In authorization to use posture process, dacl for network access.

 

Thanks 

VZ

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to startx001

‎11-01-2018 06:18 PM

Please work with TAC to come up a good solution for your use case. I am no expert with ASA remote VPN and I read through your case notes and the assigned TAC has been helpful and resolved a couple of your other issues in the same case.

Anyway, I think the static IP assignment could take place at the initial authentication and/or authorization (i.e. before the posture assessment).

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to hslai

‎11-02-2018 03:21 AM

Hi ,

But if the static ip assignment take place at the authorization(i.e. before the posture assessment) then it is CoA, what is not supported under remote VPN, right?  becase i already have ip assignment with dhcp from ASA after authentication process.

I will try to find out diffrent aproach for this, but anyway i have this on ACS right now in production and it works fine. Dunno why ISE cant ...

 

 

 

 

 

 

Preview file
52 KB
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to startx001

‎11-02-2018 07:02 AM - edited ‎11-02-2018 07:03 AM

AFAIK, the static IP assignment should be fine during the initial auth and before CoA. The limitation in ASA applies only as part of the CoA push to update the authorization.

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to hslai

‎11-04-2018 02:48 AM

Solved with Local Exception rule in authorization before posture go in  place.

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to startx001

‎12-08-2020 02:58 AM

I am experiencing the same problem.
Can you provide a solution how I solved it??

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-31-2018 07:10 PM - edited ‎10-31-2018 07:15 PM

Please review the chapter IP Addresses for VPNs in Cisco ASA VPN CLI Configuration Guide.

Also, a related discussion -- Set Static IP to Anyconnect user using ... - Cisco Community

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to hslai

‎11-01-2018 01:49 AM

HI hslai,

 

I already read those documents , but it does not help.

On ASA with version 9.4.4 i already have config "vpn-addr-assign aaa"

 

KR

VZ

0 Helpful
Customers Also Viewed These Support Documents