collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE: per user static ip address  (Read 5416 times)

Offline alx

  • Cisco Newbie
  • *
  • Posts: 5
  • Reputation: 0
    • View Profile
  • Certification: N/A
ISE: per user static ip address
« on: February 14, 2014, 06:02:30 AM »
Hi Forum,

I want to migrate from ACS to ISE but figured out that there are no per-user attributes like Framed-IP-Address on ISE. I know this is possible through Authorization but this is a bit uncomfortable...

Any ideas?

BR
alx

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE: per user static ip address
« Reply #1 on: February 14, 2014, 07:31:36 AM »
Hi Welcome to the forum, You can create a custom user attribute type IP and use that to assign an IP to each user. Here is the video.

You are not allowed to view links. Register or Login

Offline alx

  • Cisco Newbie
  • *
  • Posts: 5
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE: per user static ip address
« Reply #2 on: February 14, 2014, 07:41:25 AM »
Hi MC, thanks for your reply, but this is for ACS and not ISE ;-)

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE: per user static ip address
« Reply #3 on: February 14, 2014, 08:30:11 AM »
My bad. It's early morning on Valentine's day. :-) The idea is the same on  ISE though.

1. Go to Identity Management > Settings to create a user custom attribute
2. Under the Authorization profile, Advanced Attribute Settings, you can select the attribute you created for RADIUS Framed-IP-Address.


 

Offline alx

  • Cisco Newbie
  • *
  • Posts: 5
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE: per user static ip address
« Reply #4 on: February 14, 2014, 10:45:16 AM »
You are not allowed to view links. Register or Login
My bad. It's early morning on Valentine's day. :-)
No Problem...

Okay thats what I meant with "is possible through Authorization" and I have to configure a AuthZ Policy for each user with configured static ip address like:

if username=alx then alx_static_ip_profile
if username=blx then blx_static_ip_profile
if username=clx then clx_static_ip_profile
...

With ACS4 you can configure the framed-ip value right in the user profile which would be processed after each successful login.
As I see with ACS 5 you were able to define the custom attributes (5:15 in the mentioned Video) and you were able to define attributes with ISE aswell, but not with type=ip address :-(

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE: per user static ip address
« Reply #5 on: February 14, 2014, 01:06:06 PM »
I don't think you need per-user auth policy. Try to create a custom attribute type string, configure the IP for each local user, and then come up with an authorization profile that assign at custom attribute to the RADIUS Framed-IP-Address.

Offline alx

  • Cisco Newbie
  • *
  • Posts: 5
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE: per user static ip address
« Reply #6 on: February 14, 2014, 01:31:09 PM »
I'll give it a try and keep you informed. But not today (UTC+1 Timezone ;-) )

Offline alx

  • Cisco Newbie
  • *
  • Posts: 5
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE: per user static ip address
« Reply #7 on: February 20, 2014, 07:32:12 AM »
Unfortunately Fail... after assigning the per-user attribute the ISE says:

Unable to create Authorization Profile(VPNFixedIP) : Datatypes are mismatching for Radius:Framed-IP-Address(IPV4) and InternalUser:VPN_FixedIP(STRING)

And there is no Datatype IPV4 in user custom attributes.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE: per user static ip address
« Reply #8 on: February 20, 2014, 04:52:21 PM »
That' too bad. Have you tried any other data type and see if it potentially works? If not, I hope Cisco will add that at some point.

Offline moritezaa

  • Cisco Newbie
  • *
  • Posts: 1
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE: per user static ip address
« Reply #9 on: August 20, 2018, 06:17:03 AM »
Hi everyone
how we can force client to use your assigned ip address on ISE 2.2?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE: per user static ip address
« Reply #10 on: September 04, 2018, 08:20:52 PM »
You can use Frame-IP-Address RADIUS attribute to assign IP to user. That can be statically assigned or fetched from another database like AD.

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
2452 Views
Last post November 22, 2013, 01:09:20 PM
by MC
5 Replies
4390 Views
Last post April 29, 2014, 03:44:26 PM
by bhatsy
5 Replies
4714 Views
Last post June 19, 2015, 10:11:19 PM
by MC
2 Replies
1616 Views
Last post May 31, 2016, 03:49:48 AM
by czekon26
3 Replies
1699 Views
Last post December 26, 2016, 09:22:24 PM
by MC

SimplePortal 2.3.5 © 2008-2012, SimplePortal