VPN IP address assignment

Unanswered Question
Jan 31st, 2007

I'm currently using an ASA 5520 running 7.2 for my VPN. We have it configured to verify the machine certificate and then pass user authentication to a microsoft IAS. It works fine, but everyone currently gets an IP from the same pool of address on my DHCP server.

If possible I would like to be able to seperate certain Active Directory groups and have them be on different subnets.

Does anyone know how to configure IAS to do the address assignment or is it possible with configuration on the ASA?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
swharvey Thu, 02/01/2007 - 14:57

I don't know if/how your request can be done to a microsoft IAS, but I have been able to successfully configure Cisco's ACS 4.0 RADIUS server to tie into Windows 2003 AD, and based on User group settings on the ACS server, authenticate and allocate dhcp addresses from different pools.

This provides us the flexibility to have a centralized windows authentication method, and a corresponding dhcp pool each of the equivalent AD groups that are settup on the Radius server.

Now if I could just get the ACS "Downloadable ACL's" to apply to authenticated users I'd be one happy cisco user!

Hope this helps.



This Discussion