Lab Minutes Forum

Technical Discussion => Security => Topic started by: alx on February 14, 2014, 06:02:30 AM

Title: ISE: per user static ip address
Post by: alx on February 14, 2014, 06:02:30 AM
Hi Forum,

I want to migrate from ACS to ISE but figured out that there are no per-user attributes like Framed-IP-Address on ISE. I know this is possible through Authorization but this is a bit uncomfortable...

Any ideas?

BR
alx
Title: Re: ISE: per user static ip address
Post by: MC on February 14, 2014, 07:31:36 AM
Hi Welcome to the forum, You can create a custom user attribute type IP and use that to assign an IP to each user. Here is the video.

http://www.labminutes.com/sec0097_acs_directory_user_custom_attribute
Title: Re: ISE: per user static ip address
Post by: alx on February 14, 2014, 07:41:25 AM
Hi MC, thanks for your reply, but this is for ACS and not ISE ;-)
Title: Re: ISE: per user static ip address
Post by: MC on February 14, 2014, 08:30:11 AM
My bad. It's early morning on Valentine's day. :-) The idea is the same on  ISE though.

1. Go to Identity Management > Settings to create a user custom attribute
2. Under the Authorization profile, Advanced Attribute Settings, you can select the attribute you created for RADIUS Framed-IP-Address.


 
Title: Re: ISE: per user static ip address
Post by: alx on February 14, 2014, 10:45:16 AM
You are not allowed to view links. Register or Login
My bad. It's early morning on Valentine's day. :-)
No Problem...

Okay thats what I meant with "is possible through Authorization" and I have to configure a AuthZ Policy for each user with configured static ip address like:

if username=alx then alx_static_ip_profile
if username=blx then blx_static_ip_profile
if username=clx then clx_static_ip_profile
...

With ACS4 you can configure the framed-ip value right in the user profile which would be processed after each successful login.
As I see with ACS 5 you were able to define the custom attributes (5:15 in the mentioned Video) and you were able to define attributes with ISE aswell, but not with type=ip address :-(
Title: Re: ISE: per user static ip address
Post by: MC on February 14, 2014, 01:06:06 PM
I don't think you need per-user auth policy. Try to create a custom attribute type string, configure the IP for each local user, and then come up with an authorization profile that assign at custom attribute to the RADIUS Framed-IP-Address.
Title: Re: ISE: per user static ip address
Post by: alx on February 14, 2014, 01:31:09 PM
I'll give it a try and keep you informed. But not today (UTC+1 Timezone ;-) )
Title: Re: ISE: per user static ip address
Post by: alx on February 20, 2014, 07:32:12 AM
Unfortunately Fail... after assigning the per-user attribute the ISE says:

Unable to create Authorization Profile(VPNFixedIP) : Datatypes are mismatching for Radius:Framed-IP-Address(IPV4) and InternalUser:VPN_FixedIP(STRING)

And there is no Datatype IPV4 in user custom attributes.
Title: Re: ISE: per user static ip address
Post by: MC on February 20, 2014, 04:52:21 PM
That' too bad. Have you tried any other data type and see if it potentially works? If not, I hope Cisco will add that at some point.
Title: Re: ISE: per user static ip address
Post by: moritezaa on August 20, 2018, 06:17:03 AM
Hi everyone
how we can force client to use your assigned ip address on ISE 2.2?
Title: Re: ISE: per user static ip address
Post by: MC on September 04, 2018, 08:20:52 PM
You can use Frame-IP-Address RADIUS attribute to assign IP to user. That can be statically assigned or fetched from another database like AD.