Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

13535
Views
20
Helpful
15
Replies
manasjai
Cisco Employee
Cisco Employee
‎08-25-2016 10:22 AM
‎08-25-2016 10:22 AM

Per-user IP address Assignment on ISE

One of our customers is migrating their existing ACS 4.2 to ISE due to the ACS EoS.

Do we have any plans to add IP pool definition and IP address assignment from ISE like we used to do on ACS? The users are stored in internal database.

I did look at a few old Service requests and mail threads on topic but could not find anything concrete.

https://search-prd.cisco.com/topic/news/cisco/cs/cs-ise/dsc00721.html.

Is this supported on 2.0 or is there any workaround to achieve this?

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee
Cisco Employee
‎08-27-2016 10:26 AM
‎08-27-2016 10:26 AM

If using AD attributes, then it's supported now in ISE (since 2.0). If using internal user, then it should work with string type.

View solution in original post

15 REPLIES 15
hariholla
Cisco Employee
Cisco Employee
‎08-25-2016 11:35 AM
‎08-25-2016 11:35 AM

ISE authorization profile can invoke an IP address pool configured on the Network Device. If its a Cisco ASA, then it uses Cisco AV pair (see below). For 3rd party, it is RADIUS attribute 88 Framed-Pool.

Number

Attribute

Description

217

IP-Pool-Definition

Defines a pool of addresses using the following format:

X a.b.c Z

Where X is the pool index number, a.b.c is the pool’s starting IP address, and Z is the number of IP addresses in the pool. For example, 3 10.0.0.1 5 allocates 10.0.0.1 through 10.0.0.5 for dynamic assignment

218

Assign-IP-Pool

Tells the router to assign the user and IP address from the IP pool

You can define these under 'Advanced Attribute Settings' within the Authorization Profile definition in ISE:

Screen Shot 2016-08-25 at 11.30.49 AM.png

Here are some discussions from archives for reference:

https://supportforums.cisco.com/discussion/11740786/cisco-assign-ip-pool-radius-vsa-integer

https://supportforums.cisco.com/discussion/11837241/ip-pool-selection-radius

hslai
Cisco Employee
Cisco Employee
‎08-27-2016 10:26 AM
‎08-27-2016 10:26 AM

If using AD attributes, then it's supported now in ISE (since 2.0). If using internal user, then it should work with string type.

manasjai
Cisco Employee
Cisco Employee
In response to hslai
‎08-28-2016 03:46 AM
‎08-28-2016 03:46 AM

Thanks.

Could you please help me understand how it would work with string type?

Manasi Jain

hslai
Cisco Employee
Cisco Employee
In response to manasjai
‎08-28-2016 11:42 AM
‎08-28-2016 11:42 AM

AD had an issue that the value for IPv4-typed attribute not presenting correctly because AD stores the attribute msRADIUSFramedIPAddress in IPv4 type while earlier ISE releases (< 2.0) fetch all AD attributes as string type only. Below is a screenshot in ISE 2.0.1 and updating the type from string to IPv4 after retrieving it from AD.

Screen Shot 2016-08-28 at 10.56.49 AM.png

Internal users have no such problem because ISE may store the IPv4 value as string and present it as string. AFAIK it has always worked if the NAD supporting it.

Below is a sample procedure to assign static IP address (Framed-IP-Address) to a session.

1. Define a custom attribute of String type for internal userScreen Shot 2016-08-28 at 11.13.56 AM.png

2. Assign the custom internal-user attribute with the static IP address Screen Shot 2016-08-28 at 11.34.41 AM.png

3. Assign a RADIUS authorization profile with advanced attributes settings to assign Radius:Framed-IP-Address with the value from the custom attribute

Screen Shot 2016-08-28 at 11.16.35 AM.png

4. Use it in ISE RADIUS authorization policy rule

Screen Shot 2016-08-28 at 11.38.03 AM.png

5. Test

Screen Shot 2016-08-28 at 11.18.20 AM.png

knsh2003
Beginner
Beginner
In response to hslai
‎09-13-2017 12:06 AM
‎09-13-2017 12:06 AM

Hey Hslai,

first thank you for ur useful Post.

I would like to ask you how can I have a Dynamic IP Pool in ISE2.3? Is it possible? if yes, how could I make it?

Kind Regards,

Keyvan

hslai
Cisco Employee
Cisco Employee
In response to knsh2003
‎09-13-2017 11:14 AM
‎09-13-2017 11:14 AM

ISE provides RADIUS services so you need to check whether the NAD allows it overridden by AAA attributes and which attributes. Some third-party NAD requires vendor-specific dictionary imported to ISE.

To support web redirects with 3rd-party access NAD, ISE has DNS/DHCP services. See Configure Third-Party NAD Redirection on ISE 2.1 - Cisco

knsh2003
Beginner
Beginner
In response to hslai
‎09-13-2017 12:25 PM
‎09-13-2017 12:25 PM

Thanks.

Actually I had read that 3rd party article and I had configured my ISE like that to use DHCP service too but unfortunately it didn't work.

I have installed ISE on VMware and we wanna use it for our Radius server.

That would be nice if you can help me more.

Have a great time.

Cheers

hslai
Cisco Employee
Cisco Employee
In response to knsh2003
‎09-13-2017 01:21 PM
‎09-13-2017 01:21 PM

Please either start a new discussion thread or engage Cisco TAC, as your request is off topic from this thread.

mstraessle
Enthusiast
Enthusiast
In response to knsh2003
‎09-13-2017 11:37 AM
‎09-13-2017 11:37 AM

Keyvan

I had the same requirements some years ago already, and we decided to use the API to solve the issue since ISE does not support dynamic IP assignment, which in fact is a poor situation since it was there in ACS 4.x and before...

This for we built a Webfrontend with a DB to hold the IP's (in fact they are created automatically when create a corresponding IP Range/Subnet). Then the intelligence is built on this Webserver to choose one of the next available IP Addresses when a new user is created, without any intervention of the Admin. And all of it, it is multi tenancy...

If you are more interested in the solution, I can provide you a pdf which describes all this in more detail (but it is in german, as well as the webfrontend). But would be easy to translate...

The customer is very happy, since there is almost no other product which supports dynamic IP assignment anymore (neither Aruba CP or Juniper stealbelted).

This is how the architecure looks like:


ISe-Manager.tiff

And this is the look and feel for the admins:

ISE Manager4IP.tiff

Cheers, Marco