Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2415
Views
0
Helpful
5
Replies

FTD/ISE - Unable to assign address pool

Josh Morris
Level 3
Level 3

‎07-06-2021 11:37 AM

I am using ISE 3.0 with FTD 6.7. I can successfully assign a DACL and Banner using ISE, but having issues getting an address pool dynamically assigned. 

 

ISE Attribute:

Access Type = ACCESS_ACCEPT
DACL = TEST_DACL
CVPN3000/ASA/PIX7x-Address-Pools = ENTPOOL
CVPN3000/ASA/PIX7x-Simultaneous-Logins = 2
CVPN3000/ASA/PIX7x-IPSec-Banner1 = Hello There!

 

I have an address pool assign in the FTD connection profile, and all the boxes are checked in the Address Assignment Policy. The ENTPOOL I'm referencing in the ISE policy is also a Network Object. I have tried to make that object a host, range, and network. I am trying to test with a /31 or /32. 

 

I am not sure how to determine if that address-pool attribute is being assigned but ignored, or not even making it to the FTD.

 

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎07-06-2021 11:48 AM

@Josh Morris 

The address pool has been deployed on the FTD right? Check the CLI to confirm.

 

You could also trythe attribute cisco-av-pair = ipsec:addr-pool=ENTPOOL

 

You should be able to debug radius on the FTD to confirm if the attributes are received from ISE.

0 Helpful

Josh Morris
Level 3
Level 3
In response to Rob Ingram

‎07-06-2021 12:24 PM

Thanks @Rob Ingram 

 

The dynamic address is in the FTD as a network object (as specified by the deployment guide).

 

object network ENTPOOL
host 10.244.120.6

 

A debug showed that originally, the attribute was making it through from ISE to the FTD:

Jul 06 2021 18:56:16: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["1"]["1"] = username
Jul 06 2021 18:56:16: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["25"]["1"] = CACS:0af401150bdca00060e4a750:ise-psn-2/414581441/87744
Jul 06 2021 18:56:16: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["8218"]["1"] = 
Jul 06 2021 18:56:16: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["4098"]["1"] = 2
Jul 06 2021 18:56:16: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["4111"]["1"] = Hello There!
Jul 06 2021 18:56:16: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["4313"]["1"] = ENTPOOL
Jul 06 2021 18:56:16: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.cisco.grouppolicy = TEMP_TEST

I did try removing the Address-Pool 215 option and add it as a cisco-av-pair as you mentioned. This caused it to not show up at all in the debug. 

Jul 06 2021 19:11:07: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["1"]["1"] = username
Jul 06 2021 19:11:07: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["25"]["1"] = CACS:0af401150bddc00060e4aacb:ise-psn-2/414581441/87931
Jul 06 2021 19:11:07: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["8218"]["1"] = 
Jul 06 2021 19:11:07: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["4098"]["1"] = 2
Jul 06 2021 19:11:07: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.radius["4111"]["1"] = Hello There!
Jul 06 2021 19:11:07: %FTD-7-734003: DAP: User username, Addr 73.252.90.7: Session Attribute aaa.cisco.grouppolicy = TEMP_TEST

According to Table 2 in this guide, there are only a handful of inbound attributes supported.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/firepower_threat_defense_remote_access_vpns.html

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Josh Morris

‎07-06-2021 12:30 PM - edited ‎07-06-2021 12:38 PM

@Josh Morris 

Please provide the link to what you are referring to.

 

Create an IP Address Pool with a single /32 host rather than a network object. Or use the MS Framed Radius attribute and push down the IP address from ISE if you wish to assign a single iP address per user.

0 Helpful

Josh Morris
Level 3
Level 3
In response to Rob Ingram

‎07-06-2021 01:20 PM - edited ‎07-06-2021 01:20 PM

The guide is listed here in Table 2. RADIUS Attributes Sent to Firepower Threat Defense. This is why I am using a network object as opposed to an address pool. 

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/firepower_threat_defense_remote_access_vpns.html 

 

Address-Pools

217

String

Single

The name of a network object defined on the FTD device that identifies a subnet, which will be used as the address pool for clients connecting to the RA VPN. Define the network object on the Objects page.

 

FYI, I also did try referencing a named Address Pool present on the FTD with no luck. I also tried making the network object a /31 instead of a host with no luck.

0 Helpful

Josh Morris
Level 3
Level 3
In response to Josh Morris

‎07-08-2021 04:24 PM

I have been working with TAC and got the solution. Using the network object would not work since that object would only be pushed from FMC to FTD is used in a policy. So there are two ways to do it. 1) Create a dummy group policy with that object as the address pool or assign the address pool to the default group policy. 2) Create a group policy with a different address pool for each desired purpose and use ISE to assign a different group policy instead of the address pool. TAC said #2 is the method most customers use. So I went with this and it works now as expected. 

0 Helpful
Customers Also Viewed These Support Documents