cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

994
Views
5
Helpful
4
Replies

Need to use ISE DHCP for my VPN users

I have several groups of people using my VPN. They all go to different areas of my network. I want to assign them different DHCP scopes on ISE for their login (right now, anyconnect cannot get beyond a RADIUS acceptance for the network but cannot get an IP address).

 

I have a couple of scopes built on ISE under DHCP & DNS services.

Please note, I do NOT want to allow any other devices to pick up ip addresses here.

 

I also have a microsoft DHCP server. I could go there but another engineer is forcing all the users into one tunnel group so ip helper wont work there (I don't think).

HELP!!!!

Thaks

Joe W

1 ACCEPTED SOLUTION

Accepted Solutions


@Mike.Cifelli wrote:
Why not use the ASA/VPN box to locally distribute IPs accordingly? Or have you considered utilizing AD and specific attributes such as msRADIUSFramedIPAddress to issue IPs? Only issue with option two I think is that it would be a static non-dynamic IP at all times.

ISE DHCP Services is not a solution for this, its not scaled designed or tested for this use case. 

 

See this thread as well? 

https://community.cisco.com/t5/identity-services-engine-ise/need-to-get-a-dhcp-address-from-a-internal-dhcp-server-for-my/m-p/4005349#M33120

View solution in original post

4 REPLIES 4
Mike.Cifelli
VIP Advocate

Why not use the ASA/VPN box to locally distribute IPs accordingly? Or have you considered utilizing AD and specific attributes such as msRADIUSFramedIPAddress to issue IPs? Only issue with option two I think is that it would be a static non-dynamic IP at all times.

Sorry, none of the devices are on AD. they are ALL external users who do not have our AD attributes.

I have tried to use the ASA/VPN Box. I defined all of the scopes (12) and pointed the local-groups to them however I still get nothing.


@Mike.Cifelli wrote:
Why not use the ASA/VPN box to locally distribute IPs accordingly? Or have you considered utilizing AD and specific attributes such as msRADIUSFramedIPAddress to issue IPs? Only issue with option two I think is that it would be a static non-dynamic IP at all times.

ISE DHCP Services is not a solution for this, its not scaled designed or tested for this use case. 

 

See this thread as well? 

https://community.cisco.com/t5/identity-services-engine-ise/need-to-get-a-dhcp-address-from-a-internal-dhcp-server-for-my/m-p/4005349#M33120

View solution in original post

Can ISE dhcp network-scop fulfill this requirement?

Content for Community-Ad