Friday, September 7, 2018

ISE & Firepower RADIUS attribute 217

I have a remote-access vpn local pool problem. Here is the step by step of what should happen (I fail at step 7):

  1. RA VPN user uses anyconnect, and connects to firepower box
  2. User enters credentials
  3. Firepower sends authentication required to ISE via radius
  4. ISE checks user against AD group for authentication
  5. After successful authentication an authorization profile is assigned
  6. Within the authorization profile, attribute 217 is set, which is the option to tell the Firepower box that the clients should be assigned an IP address from a local ip pool on the Firepower box called "STAFFVPN". This is shown here: https://ibb.co/gu0n4e
  7. The result of steps 5 and 6 are sent back to the firepower box, and an IP address address from the pool name "STAFFVPN" should be assigned to the client.

I've got to step 7. On the firepower box I am able to see that the correct attribute is being received from the ISE server via a packet capture, shown here: https://ibb.co/cRtFPe. The capture shows attribute 217, with value "STAFFVPN" is being returned to the firepower device.

I can also show you the client connection profile IP pools here: https://ibb.co/jXYFPe

However, the pool is assiging the wrong IP. It's assigning an IP address from the "NOT-STAFF" ip address pool. Why?



No comments:

Post a Comment