Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
2
Replies

ISE 2.0 AnyConnect VPN IP address assignment

bkoch1
Level 1
Level 1

‎09-06-2016 02:09 PM

I'm using ISE 2.0 and an ASA5505 for AnyConnect VPN users. The authentication piece works. The issue I'm having is getting a group to get an IP address from a specific IP pool. I'd like the staff to get IPs from the staff pool (10.248.1.1-.200), and students get IPs from the student pool (10.249.1.1-.200).

If I specify both IP pools in the AnyConnect profile, it assigns IPs from the first pool designated, regardless of authentication group.

I'm new to using ISE, so I'm not sure how to do this. I've tried several avenues to no avail.

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-06-2016 02:56 PM

The best way is to map each group (usually based on group membership in AD) to a separate ASA tunnel-group / connection profile. Each of those has its own address pool and that takes care of things.

You can assign them automatically so that they don't have to (and indeed are unable to) choose from a list when logging on.

0 Helpful

bkoch1
Level 1
Level 1
In response to Marvin Rhoads

‎09-22-2016 12:13 PM

I found I could apply an ACL to the "student" group in ISE to restrict their access, even though they are all in the same IP pool.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents