This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
One of our customers is migrating their existing ACS 4.2 to ISE due to the ACS EoS.
Do we have any plans to add IP pool definition and IP address assignment from ISE like we used to do on ACS? The users are stored in internal database.
I did look at a few old Service requests and mail threads on topic but could not find anything concrete.
Is this supported on 2.0 or is there any workaround to achieve this?
Solved! Go to Solution.
ISE authorization profile can invoke an IP address pool configured on the Network Device. If its a Cisco ASA, then it uses Cisco AV pair (see below). For 3rd party, it is RADIUS attribute 88 Framed-Pool.
Defines a pool of addresses using the following format:
X a.b.c Z
Where X is the pool index number, a.b.c is the pool’s starting IP address, and Z is the number of IP addresses in the pool. For example, 3 10.0.0.1 5 allocates 10.0.0.1 through 10.0.0.5 for dynamic assignment
Tells the router to assign the user and IP address from the IP pool
You can define these under 'Advanced Attribute Settings' within the Authorization Profile definition in ISE:
Here are some discussions from archives for reference:
AD had an issue that the value for IPv4-typed attribute not presenting correctly because AD stores the attribute msRADIUSFramedIPAddress in IPv4 type while earlier ISE releases (< 2.0) fetch all AD attributes as string type only. Below is a screenshot in ISE 2.0.1 and updating the type from string to IPv4 after retrieving it from AD.
Internal users have no such problem because ISE may store the IPv4 value as string and present it as string. AFAIK it has always worked if the NAD supporting it.
Below is a sample procedure to assign static IP address (Framed-IP-Address) to a session.
1. Define a custom attribute of String type for internal user
2. Assign the custom internal-user attribute with the static IP address
3. Assign a RADIUS authorization profile with advanced attributes settings to assign Radius:Framed-IP-Address with the value from the custom attribute
4. Use it in ISE RADIUS authorization policy rule
first thank you for ur useful Post.
I would like to ask you how can I have a Dynamic IP Pool in ISE2.3? Is it possible? if yes, how could I make it?
ISE provides RADIUS services so you need to check whether the NAD allows it overridden by AAA attributes and which attributes. Some third-party NAD requires vendor-specific dictionary imported to ISE.
To support web redirects with 3rd-party access NAD, ISE has DNS/DHCP services. See Configure Third-Party NAD Redirection on ISE 2.1 - Cisco
Actually I had read that 3rd party article and I had configured my ISE like that to use DHCP service too but unfortunately it didn't work.
I have installed ISE on VMware and we wanna use it for our Radius server.
That would be nice if you can help me more.
Have a great time.
I had the same requirements some years ago already, and we decided to use the API to solve the issue since ISE does not support dynamic IP assignment, which in fact is a poor situation since it was there in ACS 4.x and before...
This for we built a Webfrontend with a DB to hold the IP's (in fact they are created automatically when create a corresponding IP Range/Subnet). Then the intelligence is built on this Webserver to choose one of the next available IP Addresses when a new user is created, without any intervention of the Admin. And all of it, it is multi tenancy...
If you are more interested in the solution, I can provide you a pdf which describes all this in more detail (but it is in german, as well as the webfrontend). But would be easy to translate...
The customer is very happy, since there is almost no other product which supports dynamic IP assignment anymore (neither Aruba CP or Juniper stealbelted).
This is how the architecure looks like:
And this is the look and feel for the admins:
Thanks alot for ur message.
U R right, Exactly I had the same problem with ISE! It is really sucks that it doesn't support dynamic IP assignment!
when I tried to use DHCP service, unfortunately I couldn't figure it out. I thinks it must be a specific authorisation rule for that to use as dhcp rule profile!
Also we wanna use ISE as our Radius Server for our Smartphone management by MDM. It would be great if u wanna share ur docs with me. By the way I live in Germany and speak German too;)
Ur great experience would help us definitely.
Have a nice time.
i configured it exactly like in your post, however my AnyConnect result is:
"The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.
The following message was received from the secure gateway: No assigned address"
Am i missing something?
Assuming you are using ASA, try the following:
logging class auth
The following debug settings focus on radius processing:
it is working now.
With ISE 2.3 the solution was to use Type IP not String.
With Type String ISE was not sending Framed-IP-Address towards ASA.