I have ACS migrated to ISE 22.214.171.1246 Everything works corerctly.
Now. I'm trying to setup ISE to assign static IP to VPN session whenever particular user connected. (this was working well @ EOL ACS).
I've done following steps @ISE:
- policy - results - authorization - authorization profiles
- create new policy - "Permit Access - STATIC IP RA VPN" - type - ACCEPT - Access Type = ACCESS_ACCEPT, Framed-IP-Address = Radius:Framed-IP-Address
- administration - groups - user identity groups
- create new group "STATIC IP RA VPN group" - description "group for client who need IP assigned by AAA"
- assign user ID who needs static IP assigned (my VPN ID for test) to group "STATIC IP RA VPN group"
- administration - identity management - settings - new (+) - Atribute name "StaticIP" - description "static IP assigned by AAA" - type - IP - save
- administration - identity - "my VPN ID" double check that "STATIC IP RA VPN group" is topgroup from "user groups"
- setup desired IP for user's (my account) session.
finnaly, whenever session connected I see RA VPN up and running but I got IP from DHCP pool but not static one I assigned to my ISE account.
Could you suggest what could be wrong?
curious any reason why giving static ip addresses? I have not come across with this setup anyconnet with static ip addresses. what is the reason behind this?
We have couple teleworkers who terminate RA VPN at office FW and access another company resources via l2l VPN.
so. It this case RA VPN IP has to be static for that group, as per those IP in crypto ACL for l2l VPNs.
Funny things it was working like charm by ACS5.x but I lost this ability as soon as we migrated from ACS to
Do you have any idea what is wrong? (see my first post above)
I have this actively working. Check here to ensure you made the correct steps:
Can you remove the DHCP pool configuration to see if it works, so leave only AAA, though AAA should take precedence? Can you post the relevant VPN config and also the output of "debug radius"? Can you also look in ISE, once the VPN is established, to what values have been actually pushed as part of the authorization to the session? We need to see if ISE fails to push it, or ASA fails to take action.