cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1702
Views
0
Helpful
5
Replies

assign static IP address to VPN session by ISE 2.7.x

Andriy Sidko
Level 1
Level 1

Hi guys.

I have ACS migrated to ISE 2.7.0.356 Everything works corerctly.
Now. I'm trying to setup ISE to assign static IP to VPN session whenever particular user connected. (this was working well @ EOL ACS).

I've done following steps @ISE:

- policy - results - authorization - authorization profiles
- create new policy - "Permit Access - STATIC IP RA VPN" - type - ACCEPT - Access Type = ACCESS_ACCEPT, Framed-IP-Address = Radius:Framed-IP-Address
- administration - groups - user identity groups
- create new group "STATIC IP RA VPN group" - description "group for client who need IP assigned by AAA"
- assign user ID who needs static IP assigned (my VPN ID for test) to group "STATIC IP RA VPN group"
- administration - identity management - settings - new (+) - Atribute name "StaticIP" - description "static IP assigned by AAA" - type - IP - save
- administration - identity - "my VPN ID" double check that "STATIC IP RA VPN group" is topgroup from "user groups"
- setup desired IP for user's (my account) session.

finnaly, whenever session connected I see RA VPN up and running but I got IP from DHCP pool but not static one I assigned to my ISE account.

Could you suggest what could be wrong?

Thank you.

5 Replies 5

curious any reason why giving static ip addresses? I have not come across with this setup anyconnet with static ip addresses. what is the reason behind this?

please do not forget to rate.

We have couple teleworkers who terminate RA VPN at office FW and access another company resources via l2l VPN.

so. It this case RA VPN IP has to be static for that group, as per those IP in crypto ACL for l2l VPNs.

Funny things it was working like charm by ACS5.x but I lost this ability as soon as we migrated from ACS to
ISE.

Do you have any idea what is wrong? (see my first post above)

Hi,

 

    I have this actively working. Check here to ensure you made the correct steps:

https://community.cisco.com/t5/network-access-control/per-user-ip-address-assignment-on-ise/td-p/3491906

 

Regards,

Cristian Matei.

Hi Cristian.

 

I've setup this (bellow & attached)

++++++

Access Type = ACCESS_ACCEPT
Framed-IP-Address = staticIP

++++++

but still getting IP from external DHCP server pool rather that IP assigned to particular user.

Could you show me your config?

 

Thank you.

 

Hi,

 

    Can you remove the DHCP pool configuration to see if it works, so leave only AAA, though AAA should take precedence? Can you post the relevant VPN config and also the output of "debug radius"? Can you also look in ISE, once the VPN is established, to what values have been actually pushed as part of the authorization to the session? We need to see if ISE fails to push it, or ASA fails to take action.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: