09-14-2017 01:29 AM - edited 02-21-2020 10:34 AM
Cisco ISE; Apply attributes, IP Address, to authenticated user
I am migrating user authentication policies off of the existing RADIUS NPS server.
On the RADIUS NPS server the user authenticates and recievies an IP address.
I want to set Cisco ISE to pull the attribute from the users Active Directory account, where the IP address is located, and apply this to the users PPP connection.
I have Cisco ISE and Active Directory working.
My biggest problems is how to apply the IP address to the client through the Cisco ISE policy that I am setting up.
Attached is a picture of the policy from the old RADIUS server and how it applied the IP address to PPP connnections.
Any help is greatly appreciated.
Cheers.
Solved! Go to Solution.
09-14-2017 04:19 PM - edited 09-14-2017 04:51 PM
I just a quick stab at this. I configured a static IP address for my AD user in user's Dial-In tab, under "Assign Static IP address".
In ISE 2.2 I can retrieve that AD attribute from the External Identities Attributes menu option as a signed integer value :-(
e.g. I configured an IPv4 address of 172.16.0.101 and ISE retrieves a STRING of -1408237467 (which is not a great way to present IP addresses. It is a signed integer representation of the IPv4's 32bit value.
10101100.00010000.00000000.01100101
During the addition of the AD attribute msRADIUSFramedIPAddress ISE will complain when you click Save button - it notices that it's an IP address and asks you to change the type from STRING to IP.
Then you need to create a new Authorization Policy
Result
User-Name abier@MEGA.local
Framed-IP-Address 172.16.0.101
State ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type (tag=1) VLAN
Tunnel-Medium-Type (tag=1) 802
Tunnel-Private-Group-ID (tag=1) 100
MS-MPPE-Send-Key ****
MS-MPPE-Recv-Key ****
LicenseTypes Base license consumed
09-14-2017 05:05 PM
This can be done as follows.
Assuming you have the user's IP address in the user's Dial-In (Static IPv4 Address) configured - I configured 172.16.0.101 for example.
The you need to go to External Identities and retrieve this Attribute from AD
ISE will complain because it initially imports it as a STRING and then warns you to please change Type to IP.
Once you have that, you can amend you Authorization Result as follows
In my case I got an Access-Accept of
Result
User-Name abier@MEGA.local
Framed-IP-Address 172.16.0.101
State ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type (tag=1) VLAN
Tunnel-Medium-Type (tag=1) 802
Tunnel-Private-Group-ID (tag=1) 100
MS-MPPE-Send-Key ****
MS-MPPE-Recv-Key ****
LicenseTypes Base license consumed
09-14-2017 04:19 PM - edited 09-14-2017 04:51 PM
I just a quick stab at this. I configured a static IP address for my AD user in user's Dial-In tab, under "Assign Static IP address".
In ISE 2.2 I can retrieve that AD attribute from the External Identities Attributes menu option as a signed integer value :-(
e.g. I configured an IPv4 address of 172.16.0.101 and ISE retrieves a STRING of -1408237467 (which is not a great way to present IP addresses. It is a signed integer representation of the IPv4's 32bit value.
10101100.00010000.00000000.01100101
During the addition of the AD attribute msRADIUSFramedIPAddress ISE will complain when you click Save button - it notices that it's an IP address and asks you to change the type from STRING to IP.
Then you need to create a new Authorization Policy
Result
User-Name abier@MEGA.local
Framed-IP-Address 172.16.0.101
State ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type (tag=1) VLAN
Tunnel-Medium-Type (tag=1) 802
Tunnel-Private-Group-ID (tag=1) 100
MS-MPPE-Send-Key ****
MS-MPPE-Recv-Key ****
LicenseTypes Base license consumed
07-17-2019 03:50 AM
Great answer and very helpful (as always Arne) !!
Side question:
Any idea if this is working for IPv6 as well?
Framed-IPv6-Prefix = AD:msRADIUS-FramedIpv6Prefix
07-17-2019 01:11 PM
07-17-2019 10:39 PM
Hi Arne,
to be honest - I tested it already (have a full lab).
However I didin't manage it to get it to work. I thought because you already are kinda familiar with this overall topic (in combination with IPv4) I give it a shot here :)
Bottom line is, that the RADIUS attributes Framed-IPv6-Address, Framed-IPv6-Prefix require a data type of IPV6ADDR or IPV6PREFIX if "dynamically" used.
IPv6 relevant AD attributes (e.g. msRADIUS-FramedIpv6Prefix) can not be tagged with this datatype in the external identity store (AD) configuration.
see here also:
Thanks anyway. Like I said I just thought I give it a shot here :D
09-14-2017 05:05 PM
This can be done as follows.
Assuming you have the user's IP address in the user's Dial-In (Static IPv4 Address) configured - I configured 172.16.0.101 for example.
The you need to go to External Identities and retrieve this Attribute from AD
ISE will complain because it initially imports it as a STRING and then warns you to please change Type to IP.
Once you have that, you can amend you Authorization Result as follows
In my case I got an Access-Accept of
Result
User-Name abier@MEGA.local
Framed-IP-Address 172.16.0.101
State ReauthSession:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec
Class CACS:c0a815646JpxUXOs9_T9I0Op/E9lJ0LtJt7RJmXe66wGCbfQbec:ise01/293854661/105
Tunnel-Type (tag=1) VLAN
Tunnel-Medium-Type (tag=1) 802
Tunnel-Private-Group-ID (tag=1) 100
MS-MPPE-Send-Key ****
MS-MPPE-Recv-Key ****
LicenseTypes Base license consumed
09-14-2017 10:43 PM
You may wonder why I replied twice to the original question. It's because the forum system lost my original response. It was suddenly gone (even when loggin in via two other separate PC's and browsers)!!! No idea why. So you have my original (lost) reply and the follow up. The technical answer is the same in both replies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide