cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3348
Views
2
Helpful
3
Replies

Per-user IP address Assignment on ISE

Hello,

I need assign per-user IP address to ISE internal user. I have seen in older post that in 2.0 this is possible with static ip address, but not with pool.  Is there any news from this in the new versions (2.1, 2.2)?. Is it possible use the internal DHCP for assing IP address?.

Regards.

1 Accepted Solution

Accepted Solutions

Marco,

I would be happy to sync with you offline to see if we could get a write-up on customer success with their implementation as it speaks to the flexibility and scale of the solution.

On a separate note, I am always surprised when no one mentions our premiere SP-focused AAA server which is not ISE, but Prime Access Registrar.  This solution is a 3GPP-compliant RADIUS and DIAMETER server which also supports IP address pools.  Shame on me for not at least suggesting under the assumption that use case could be more SP-targeted.

Maybe Mr. Fernandez can shed more light on specific use case.  If SP-focused, then would consider both options.  If enterprise-focused, then Marco's solution may fit the bill.  Yet another alternative is to leverage the gateway's ability to dynamically assign DHCP server or scope based on connection properties, or as a result of returned policy.  For example, with ASA VPN, it is possible to assign users to a specific policy group which has a unique address pool, or to assign to a specific VLAN which has a specific pool, or define DHCP scope to target.

Cheers,
Craig

View solution in original post

3 Replies 3

Craig Hyps
Level 10
Level 10

The primary purpose of the integrated DNS/DHCP Service in ISE 2.1 is to support URL redirection for NADs that lack this functionality.  It is not intended to be used as a general purpose DNS/DHCP server.  ISE does not support pools, but can assign based on RADIUS Framed-IP-Address attribute either to static value in ISE or stored in external ID store.  Pools were primarily used in ACS to support dialup modem banks.   Virtually of have migrated to VPN for that particular use case.

If still have business requirement to support IP pools, be sure to convey this to your local Cisco sales team so that they can submit this into feature request queue.

Regards,
Craig

mstraessle
Level 4
Level 4

Hi

I had this question already several times also the feature request. Unfortunatly I always got the same answer: "There are no plans to integrate local IP Pools into ISE again (also ACS 5.x did no more support it).

As Craig already mentioned, the purpose is very limited. But besides old dialup modem banks, we had the use case for a closed user group 3G cellular service from Mobile providers using 3GPP and RADIUS for IP assignment.

Because of this lack of features (also other RADIUS Servers are no more supporting this, like Aruba ClearPass), we decided to use the RESTful API on ISE and built our own solution based on any DB, which sets the static IP Adresse per device. This for we create a separete Web-Server where the Users (in our case Phone-numbers) are deployed from different tenants in different groups, which are in real time deployed using REST to the ISE. So the framed-IP-Address attribute is saved localy on ISE. With this setup, it allows to deploy hunderts or thousends of users with a simple import using CSV for example.

This is working so far since almost one year, and the customer is very happy.

Please let me know if you want further informations.

BTW: Besides ACS 4.x we found only MS RADIUS Server where the feature is still available...

Marco,

I would be happy to sync with you offline to see if we could get a write-up on customer success with their implementation as it speaks to the flexibility and scale of the solution.

On a separate note, I am always surprised when no one mentions our premiere SP-focused AAA server which is not ISE, but Prime Access Registrar.  This solution is a 3GPP-compliant RADIUS and DIAMETER server which also supports IP address pools.  Shame on me for not at least suggesting under the assumption that use case could be more SP-targeted.

Maybe Mr. Fernandez can shed more light on specific use case.  If SP-focused, then would consider both options.  If enterprise-focused, then Marco's solution may fit the bill.  Yet another alternative is to leverage the gateway's ability to dynamically assign DHCP server or scope based on connection properties, or as a result of returned policy.  For example, with ASA VPN, it is possible to assign users to a specific policy group which has a unique address pool, or to assign to a specific VLAN which has a specific pool, or define DHCP scope to target.

Cheers,
Craig