Thanks.

Could you please help me understand how it would work with string type?

Manasi Jain

AD had an issue that the value for IPv4-typed attribute not presenting correctly because AD stores the attribute msRADIUSFramedIPAddress in IPv4 type while earlier ISE releases (< 2.0) fetch all AD attributes as string type only. Below is a screenshot in ISE 2.0.1 and updating the type from string to IPv4 after retrieving it from AD.

Internal users have no such problem because ISE may store the IPv4 value as string and present it as string. AFAIK it has always worked if the NAD supporting it.

Below is a sample procedure to assign static IP address (Framed-IP-Address) to a session.

1. Define a custom attribute of String type for internal user

2. Assign the custom internal-user attribute with the static IP address

3. Assign a RADIUS authorization profile with advanced attributes settings to assign Radius:Framed-IP-Address with the value from the custom attribute

4. Use it in ISE RADIUS authorization policy rule

5. Test

Hey Hslai,

first thank you for ur useful Post.

I would like to ask you how can I have a Dynamic IP Pool in ISE2.3? Is it possible? if yes, how could I make it?

Kind Regards,

Keyvan

ISE provides RADIUS services so you need to check whether the NAD allows it overridden by AAA attributes and which attributes. Some third-party NAD requires vendor-specific dictionary imported to ISE.

To support web redirects with 3rd-party access NAD, ISE has DNS/DHCP services. See Configure Third-Party NAD Redirection on ISE 2.1 - Cisco

Please either start a new discussion thread or engage Cisco TAC, as your request is off topic from this thread.

Keyvan

I had the same requirements some years ago already, and we decided to use the API to solve the issue since ISE does not support dynamic IP assignment, which in fact is a poor situation since it was there in ACS 4.x and before...

This for we built a Webfrontend with a DB to hold the IP's (in fact they are created automatically when create a corresponding IP Range/Subnet). Then the intelligence is built on this Webserver to choose one of the next available IP Addresses when a new user is created, without any intervention of the Admin. And all of it, it is multi tenancy...

If you are more interested in the solution, I can provide you a pdf which describes all this in more detail (but it is in german, as well as the webfrontend). But would be easy to translate...

The customer is very happy, since there is almost no other product which supports dynamic IP assignment anymore (neither Aruba CP or Juniper stealbelted).

This is how the architecure looks like:

And this is the look and feel for the admins:

Cheers, Marco

Hi hslai,

i configured it exactly like in your post, however my AnyConnect result is:

"The secure gateway has rejected the connection attempt.  A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.

The following message was received from the secure gateway: No assigned address"

Am i missing something?

Please help!

thx Wladimir

Assuming you are using ASA, try the following:

Syslogs

logging class auth

Debugs

The following debug settings focus on radius processing:

• debug radius [all | user | session]  - troublehshooting of RADIUS AAA processing initated by the ASA
• debug radius decode - focus on RADIUS message content
• debug radius dynamic authorization - troubleshooting of RADIUS CoA processing

Hi hslai,

it is working now.

With ISE 2.3 the solution was to use Type IP not String.

With Type String ISE was not sending Framed-IP-Address towards ASA.

Regards,

Wladimir

How about something a little less cryptic.