Hi all,

I have a customer who currently authenticates approximately 200 Cisco 3G WAN Interfaces to a FreeRADIUS server hosted in their data centre, proxied through through their ISP RADIUS servers. I am looking to migrate this to ISE.

Currently the network administrators add the PPP user/password/IP address details in a .conf file in FreeRADIUS and the 3G routers authenticate here - easy stuff!

Each WAN interface MUST be assigned the same IP address. However I can't see how I can accomplish this in ISE without creating 200 local identities, 200 matching AuthZ policies, with 200 matching AuthZ profiles. In good old ACS, you could assign an IP address to each of the locally created users, and have a single AuthZ profile that says something like RADIUS:Framed-IP-Address = User-IP-Address. Without the User IP address field available, I have to create individual policies to map an IP address to a user.

I was thinking that I could use the IP address field in the NAS and map this to the Framed-IP-Address attribute. However the 3G interfaces are not see on ISE as NAS's, they are users authenticating through the NAS. The only NAS ISE sees is the ISP RADIUS proxy server.

I don't care how I achieve this, I just need to assign static IP addresses using the Framed-IP-Address attribute to authenticating PPP sessions. I am OK for the users themselves to be created locally within ISE.

Any advice would be greatly appreciated.

-Brett Verney