Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3586
Views
5
Helpful
4
Replies

Set Static IP to Anyconnect user using ISE

srijan
Level 1
Level 1

‎03-30-2018 11:28 PM - edited ‎02-21-2020 10:52 AM

Hi, in our production environment, RA users connects to network using Anyconnect (Authentication via PKI cert and ISE - AD integrated). Requirement here is for one user, he needs to be assigned the same IP everytime he connects using VPN. We do have a policy in ISE, if the username matches(which is obtained from the certificate), framed-ip-address and framed mask address attributes are set to an IP address (assume: 10.10.10.15) and its equivalent netmask. This also falls within the range that is defined in ASA - dhcp-network-scope. Whenever the user connects, it picks the default policy like any other user but not this. Any suggestions how to troubleshoot. Is there something that I am missing.

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎03-31-2018 03:59 AM

Hi,

This seems to be what you are looking for.

Rahul Govindan
VIP Alumni
VIP Alumni

‎04-02-2018 05:47 AM

Do you have the "vpn-addr-assign aaa" command enabled? This enables a AAA server to assign ip address to a user. I do not think this is enabled by default. 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html#pgfId-1663263

 

0 Helpful

srijan
Level 1
Level 1
In response to Rahul Govindan

‎04-02-2018 06:12 AM

Thanks RJI and Rahul.

 

I will check this when I get to work today.

 

Hi Rahul,

Assuming I don't have this already set (vpn-addr-assign aaa) and I add it to the config today. 

 

Here, I am more concerned about just this one user, say user1, who should get this static IP. The rest of the employees should get IP released from the DHCP, as it is happening currently. Will this change (vpn-addr-assign aaa) have any impact on the other users.

 

Hi RJI,

this issue started since we changed our certificate vendor is what we assume. Because the user did not report the issue when it actually stopped working, he took months before bringing it to us. It was working fine without the Dial-In settings in AD as suggested in the link provided by you. However, I will take a look at it today and update you folks on the status.

 

Thank you for the inputs. 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to srijan

‎04-02-2018 03:18 PM

You can have both enabled. If I recall, aaa should have a higher precedence over dhcp. I would open a Cisco TAC case to confirm this as I could find no external doc on this.

And although the command reference says that  there is no default value for this, another doc says that it is enabled by default. You might want to check "show run all vpn-addr-assign" before making changes. 

0 Helpful
Customers Also Viewed These Support Documents