ASA static ip address per user

Unanswered Question
Oct 6th, 2008

Need to know if their is a way to configure the following on the ASA.

We have 60 users login via VPN through ASA and authenticated via Radius server.

So we need, 60 users configured with each allocated a static ip address.

For example;

60 User - 60 Static Ip address

User 1 - 10.10.10.1

User 2 - 10.10.10.2

-

-

-

User 60 - 10.10.10.60

At present we can do this by creating a object-group per user but this is not scalable, therefore if their is a efficient way of doing this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Fri, 10/10/2008 - 12:03

To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

Refer the url below for more information on configuring ip address in ASA:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/vpnadd.html#wp998941

Farrukh Haroon Sat, 10/11/2008 - 03:43

You can assign each user an IP address via the following:

> Locally for each user. (very hectic)

> Using AAA Server

> Using DHCP

Just make sure you set the appropriate option in the 'vpn-addr-assign' command.

Regards

Farrukh

husycisco Sun, 10/19/2008 - 06:23

Hello Nishit,

I encountered this in past and best solution is installing IAS (Windows Radius) to a Domain Controller (If you want to grab user information from Active Driectory), or to a standalone computer to grab user information locally from computer. In user's dial-in tab, activate static IP and assign the Ip address to user. Set the authentication-server-group in related tunnel-group in firewall

Regards

patel.nishit Mon, 10/20/2008 - 03:34

Is this IAS free to download or do we have to purchase it. Can it be configured on the existing Radius serve.

husycisco Mon, 10/20/2008 - 04:30

It is free, built-in to windows 2003 server. I dont know what do you have currently as a Radius service, but win2003's RADIUS is called IAS. (Internet Authentication Server) Here is how to install

http://technet.microsoft.com/en-us/library/cc781690.aspx

here is the configuration

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

Feel free to ask during implemention

Actions

This Discussion