Lab Minutes Forum
Technical Discussion => Security => Topic started by: alx on February 14, 2014, 06:02:30 AM
-
Hi Forum,
I want to migrate from ACS to ISE but figured out that there are no per-user attributes like Framed-IP-Address on ISE. I know this is possible through Authorization but this is a bit uncomfortable...
Any ideas?
BR
alx
-
Hi Welcome to the forum, You can create a custom user attribute type IP and use that to assign an IP to each user. Here is the video.
http://www.labminutes.com/sec0097_acs_directory_user_custom_attribute
-
Hi MC, thanks for your reply, but this is for ACS and not ISE ;-)
-
My bad. It's early morning on Valentine's day. :-) The idea is the same on ISE though.
1. Go to Identity Management > Settings to create a user custom attribute
2. Under the Authorization profile, Advanced Attribute Settings, you can select the attribute you created for RADIUS Framed-IP-Address.
-
My bad. It's early morning on Valentine's day. :-)
No Problem...
Okay thats what I meant with "is possible through Authorization" and I have to configure a AuthZ Policy for each user with configured static ip address like:
if username=alx then alx_static_ip_profile
if username=blx then blx_static_ip_profile
if username=clx then clx_static_ip_profile
...
With ACS4 you can configure the framed-ip value right in the user profile which would be processed after each successful login.
As I see with ACS 5 you were able to define the custom attributes (5:15 in the mentioned Video) and you were able to define attributes with ISE aswell, but not with type=ip address :-(
-
I don't think you need per-user auth policy. Try to create a custom attribute type string, configure the IP for each local user, and then come up with an authorization profile that assign at custom attribute to the RADIUS Framed-IP-Address.
-
I'll give it a try and keep you informed. But not today (UTC+1 Timezone ;-) )
-
Unfortunately Fail... after assigning the per-user attribute the ISE says:
Unable to create Authorization Profile(VPNFixedIP) : Datatypes are mismatching for Radius:Framed-IP-Address(IPV4) and InternalUser:VPN_FixedIP(STRING)
And there is no Datatype IPV4 in user custom attributes.
-
That' too bad. Have you tried any other data type and see if it potentially works? If not, I hope Cisco will add that at some point.
-
Hi everyone
how we can force client to use your assigned ip address on ISE 2.2?
-
You can use Frame-IP-Address RADIUS attribute to assign IP to user. That can be statically assigned or fetched from another database like AD.