cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2611
Views
5
Helpful
6
Replies

ISE 2.6 and DHCP

Reece Boucher
Level 1
Level 1

I am migrating nearly 1,200 device (configured as users) from ACS 4.2 to ISE 2.6.

 

Within ACS 4.2 they are assigned a WAN address from a locally configured IP Pool.  THere doesn't appear to be such a solution with ISE 2.6.

 

I'm hoping to use our central Microsoft DHCP servers (2 servers configured in failover).

 

How do I define which server(s) and DHCP scopes are used?

Is this defined on a per user basis?

 

Many thanks.

 

 

6 Replies 6

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    What is the setup used for, device administration (TACACS+) or user/device authentication/authorization(RADIUS/802.1x)? How are the users connecting to the network, via VPN?

 

Regards,

Cristian Matei.

Christian,

These are carrier connected mobile (4G) devices and they are RADIUS authenticated.  They connect to a private APN and autneiticate to a RADIUS proxy within the carrier which then strips off the realm (user@domain) and forwards the RADIUS request to our on premises RADIUS server.

 

Appreciate your interest.

 

Reece.

Hi,

 

   And this proxied RADIUS Request reaches your ISE RADIUS server?  Do you also authenticate the users, or just authorise the users? If you also authenticate it, where is the DB stored?

 

As the request comes in via RADIUS:

         1. i don't see how you could make use of an DHCP server, as you don't get a DHCP Request from the client; also the built in DHCP server of ISE would not help here, for the same reason

         2. ISE can assign static IP addresses, but not from an IP pool or DHCP pool

         3. ISE could return an IP pool name to the NAD, which may support this and assign to the user an IP from the pool name received from ISE

         4. You could make use of ISE API and get some IP addresses from an IP Management Tool

 

Regards,

Cristian Matei.

@Reece Boucher - as  @Cristian Matei pointed out, ISE is not part of the DHCP process, and therefore the IP address assignment has to be pre-determined elsewhere. In most cases this is done statically.

 

Two of my customers have a setup where the cellular provider makes a RADIUS auth request to ISE with the IMSI, and ISE returns a bunch of static parameters - one of them is the IP address. This is a static arrangement and each IMSI is stored as a user account in ISE. You can create a long list of attributes that you want to return as a result of the APN authentication.

ISE internal database is the quick and easy solution. Other customers use AD integration - by assigning the static IP address in AD, you can simply query AD for the IMSI and get the same attributes returned. 

 

if it's dynamic IP address assignment then it's a lot trickier - how do you deal with lease renewals and expirations etc. ?

Thanks for the responses.

 

I'm a little confused (easily done) regarding the use of IP Pools on ISE then.

 

The user request is basically a proxied RADIUS connection (Telstra is the ISP being used).  Originally we were using ACS 4.2, which made it easy.  ACS 5.6 was a little trickier, and Telstra assisted us by doing a fudge that allocated the address within their environment.  That isn't sustainable going forward.

 

Ideally I'd like not to have to do a tstic allocation (this is for the 'WAN' side of the remote connection, not the 'LAN' side, which uses framed routes).  I understand using framed routes means doing a 'static' allocation but I'd like to employ the KISS principle where possible.

Q:  ISE 2.6 has a section for DHCP and DNS services (System, Settings, DHCP and DNS services).  Can this not be used for what I need to achieve?

 

 

 

The DHCP & DNS Services function is specifically used to simulate URL Redirection for 3rd-party Network Devices that do not natively support RADIUS-based URL redirection. From the Admin Guide:

  • URL redirection is necessary for advanced flows like BYOD, Guest, and Posture. There are two types of URL redirection found on a device: static and dynamic. For static URL redirection, you can copy and paste the ISE portal URL into the configuration. For dynamic URL redirection, ISE uses a RADIUS attribute to tell the network device where to redirect to. In addition, if the device supports neither dynamic nor static URL redirect, ISE provides an Auth VLAN by which it simulates URL redirect. Auth VLAN is based on a DHCP/DNS service running on the ISE box. To create the Auth VLAN, define the DHCP/DNS service settings. For more information, see the DHCP and DNS Services section in see DHCP and DNS services. The URL redirect flow is described in further detail below.

 

I do not believe there is a way to tweak this feature to perform the function you are looking for.