09-06-2016 02:09 PM
I'm using ISE 2.0 and an ASA5505 for AnyConnect VPN users. The authentication piece works. The issue I'm having is getting a group to get an IP address from a specific IP pool. I'd like the staff to get IPs from the staff pool (10.248.1.1-.200), and students get IPs from the student pool (10.249.1.1-.200).
If I specify both IP pools in the AnyConnect profile, it assigns IPs from the first pool designated, regardless of authentication group.
I'm new to using ISE, so I'm not sure how to do this. I've tried several avenues to no avail.
09-06-2016 02:56 PM
The best way is to map each group (usually based on group membership in AD) to a separate ASA tunnel-group / connection profile. Each of those has its own address pool and that takes care of things.
You can assign them automatically so that they don't have to (and indeed are unable to) choose from a list when logging on.
09-22-2016 12:13 PM
I found I could apply an ACL to the "student" group in ISE to restrict their access, even though they are all in the same IP pool.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide