Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
3
Helpful
2
Replies

ISE 2.7 does not accept msRADIUSFramedIPAddress for fixed IP addresses

Go to solution
swscco001
Level 3
Level 3

‎03-29-2023 07:02 AM

Hello everybody,

our customer needs a fixed IP addresses for a small number of AnyConnect users.

They have a ASA 5555 (9.14(3)15), a ISE 2.7 and the users are on the
Active Directory.

I found the following guide:
https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/

I confirured a test user on the AD and assigned a free IP address to it
as in the guide.

On the ISE 2.7 I could import attribute msRADIUSFramedIPAddress from the AD
(see attached screen dump).

When I want to create the new Authorization Profile the
ISE just accept an IP address but not AD-name:msRADIUSFramedIPAddress
(see attached screen dump).

It seems that ISE 2.7 just accept users located on the ISE itself for
this sitiation.

I did not find another guide for this situation.

My questions:

Why does the ISE 2.7 I does not accespt the attribute msRADIUSFramedIPAddress
as in the guide but want an IP address?

Is it supported to authenticate with an AD user with ISE 2.7 and assign
a fixed IP address? If yes, is there another guide?

Thanks a lot for every hint!

 

Bye
R.

1 person had this problem
Preview file
76 KB
Preview file
109 KB
Preview file
128 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-29-2023 04:52 PM

This appears to simply be a cosmetic issue (likely due to the type value option changing from 'IPV4' to 'IP' at some point). I tested ISE 2.7 with both patch 7 and patch 9 and the AuthZ Profile still lets me save the change even with the error highlighted. ISE should still return this value regardless of the error. If you find that not to be the case, please open a TAC case to investigate further.

Screenshot 2023-03-30 at 10.00.55 am.png

I also do not see this cosmetic issue in ISE 3.1

View solution in original post

2 Replies 2

Go to solution
Tariq Mahmoud
Level 1
Level 1

‎03-29-2023 04:47 PM

Hello, 

I don't have access to any ISE node to test the below, but can you try:
1. I see in the guide that the type of the attribute is IPv4 while in your screenshots it's showing IP. Can you modify it to IPv4 in your configuration and test? 
2. If the above doesn't work, can you try renaming your AD to any other name without the dot, "EIS_AD_SPITAL_MIS" for example.

if those won't work, I really suggest creating a ticket with TAC. 

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-29-2023 04:52 PM

This appears to simply be a cosmetic issue (likely due to the type value option changing from 'IPV4' to 'IP' at some point). I tested ISE 2.7 with both patch 7 and patch 9 and the AuthZ Profile still lets me save the change even with the error highlighted. ISE should still return this value regardless of the error. If you find that not to be the case, please open a TAC case to investigate further.

Screenshot 2023-03-30 at 10.00.55 am.png

I also do not see this cosmetic issue in ISE 3.1

Customers Also Viewed These Support Documents