Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6721
Views
35
Helpful
6
Replies

Cisco ISE; Apply attributes, IP Address, to authenticated user

Go to solution
cheery Tomato
Level 1
Level 1

‎09-14-2017 01:29 AM - edited ‎02-21-2020 10:34 AM

Cisco ISE; Apply attributes, IP Address, to authenticated user

 

I am migrating user authentication policies off of the existing RADIUS NPS server.

On the RADIUS NPS server the user authenticates and recievies an IP address.

 

I want to set Cisco ISE to pull the attribute from the users Active Directory account, where the IP address is located, and apply this to the users PPP connection.

 

I have Cisco ISE and Active Directory working.

My biggest problems is how to apply the IP address to the client through the Cisco ISE policy that I am setting up.

Attached is a picture of the policy from the old RADIUS server and how it applied the IP address to PPP connnections.

 

Any help is greatly appreciated.

Cheers.

 

 

1 person had this problem
Labels:
Preview file
26 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎09-14-2017 04:19 PM - edited ‎09-14-2017 04:51 PM

 

I just a quick stab at this.  I configured a static IP address for my AD user in user's Dial-In tab, under "Assign Static IP address".  

In ISE 2.2 I can retrieve that AD attribute from the External Identities Attributes menu option as a signed integer value :-(

e.g. I configured an IPv4 address of 172.16.0.101 and ISE retrieves a STRING of -1408237467 (which is not a great way to present IP addresses. It is a signed integer representation of the IPv4's 32bit value.

10101100.00010000.00000000.01100101

 

During the addition of the AD attribute msRADIUSFramedIPAddress ISE will complain when you click Save button - it notices that it's an IP address and asks you to change the type from STRING to IP.

radius2.png

 

 

Then you need to create a new Authorization Policy

radius.PNG

  

 

Result
User-Name  abier@MEGA.local
Framed-IP-Address  172.16.0.101
State  ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class  CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type  (tag=1) VLAN
Tunnel-Medium-Type  (tag=1) 802
Tunnel-Private-Group-ID  (tag=1) 100
MS-MPPE-Send-Key  ****
MS-MPPE-Recv-Key  ****
LicenseTypes  Base license consumed

View solution in original post

Go to solution
Arne Bier
VIP
VIP

‎09-14-2017 05:05 PM

This can be done as follows.

Assuming you have the user's IP address in the user's Dial-In (Static IPv4 Address) configured - I configured 172.16.0.101 for example.

The you need to go to External Identities and retrieve this Attribute from AD

radius2.png

 

ISE will complain because it initially imports it as a STRING and then warns you to please change Type to IP.

 

Once you have that, you can amend you Authorization Result as follows

radius.PNG

 

In my case I got an Access-Accept of

 

Result
User-Name     abier@MEGA.local
Framed-IP-Address     172.16.0.101
State     ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class     CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type     (tag=1) VLAN
Tunnel-Medium-Type     (tag=1) 802
Tunnel-Private-Group-ID     (tag=1) 100
MS-MPPE-Send-Key     ****
MS-MPPE-Recv-Key     ****
LicenseTypes     Base license consumed

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎09-14-2017 04:19 PM - edited ‎09-14-2017 04:51 PM

 

I just a quick stab at this.  I configured a static IP address for my AD user in user's Dial-In tab, under "Assign Static IP address".  

In ISE 2.2 I can retrieve that AD attribute from the External Identities Attributes menu option as a signed integer value :-(

e.g. I configured an IPv4 address of 172.16.0.101 and ISE retrieves a STRING of -1408237467 (which is not a great way to present IP addresses. It is a signed integer representation of the IPv4's 32bit value.

10101100.00010000.00000000.01100101

 

During the addition of the AD attribute msRADIUSFramedIPAddress ISE will complain when you click Save button - it notices that it's an IP address and asks you to change the type from STRING to IP.

radius2.png

 

 

Then you need to create a new Authorization Policy

radius.PNG

  

 

Result
User-Name  abier@MEGA.local
Framed-IP-Address  172.16.0.101
State  ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class  CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type  (tag=1) VLAN
Tunnel-Medium-Type  (tag=1) 802
Tunnel-Private-Group-ID  (tag=1) 100
MS-MPPE-Send-Key  ****
MS-MPPE-Recv-Key  ****
LicenseTypes  Base license consumed

Go to solution
Johannes Luther
Level 4
Level 4
In response to Arne Bier

‎07-17-2019 03:50 AM

Great answer and very helpful (as always Arne) !!

Side question:

Any idea if this is working for IPv6 as well?

Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Johannes Luther

‎07-17-2019 01:11 PM

Hi Johannes

Short answer: not tried it yet. I did my last test in my lab with Server 2012 and used Freeradius to make the RADIUS call to ISE. Do you have a lab facility? If not then I can give it a go but response might be slow

Cheers
0 Helpful

Go to solution
Johannes Luther
Level 4
Level 4
In response to Arne Bier

‎07-17-2019 10:39 PM

Hi Arne,

to be honest - I tested it already (have a full lab).

However I didin't manage it to get it to work. I thought because you already are kinda familiar with this overall topic (in combination with IPv4) I give it a shot here :)

Bottom line is, that the RADIUS attributes Framed-IPv6-Address, Framed-IPv6-Prefix require a data type of IPV6ADDR or IPV6PREFIX if "dynamically" used.

 

IPv6 relevant AD attributes (e.g. msRADIUS-FramedIpv6Prefix) can not be tagged with this datatype in the external identity store (AD) configuration.

 

see here also:

https://community.cisco.com/t5/identity-services-engine-ise/ise-remote-access-vpn-asa-and-static-ipv6-address-assignment-via/m-p/3891871

 

Thanks anyway. Like I said I just thought I give it a shot here :D

Go to solution
Arne Bier
VIP
VIP

‎09-14-2017 05:05 PM

This can be done as follows.

Assuming you have the user's IP address in the user's Dial-In (Static IPv4 Address) configured - I configured 172.16.0.101 for example.

The you need to go to External Identities and retrieve this Attribute from AD

radius2.png

 

ISE will complain because it initially imports it as a STRING and then warns you to please change Type to IP.

 

Once you have that, you can amend you Authorization Result as follows

radius.PNG

 

In my case I got an Access-Accept of

 

Result
User-Name     abier@MEGA.local
Framed-IP-Address     172.16.0.101
State     ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class     CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type     (tag=1) VLAN
Tunnel-Medium-Type     (tag=1) 802
Tunnel-Private-Group-ID     (tag=1) 100
MS-MPPE-Send-Key     ****
MS-MPPE-Recv-Key     ****
LicenseTypes     Base license consumed

Go to solution
Arne Bier
VIP
VIP
In response to Arne Bier

‎09-14-2017 10:43 PM

You may wonder why I replied twice to the original question.  It's because the forum system lost my original response.  It was suddenly gone (even when loggin in via two other separate PC's and browsers)!!!  No idea why.  So you have my original (lost) reply and the follow up.  The technical answer is the same in both replies.

Customers Also Viewed These Support Documents