Assign Static IP to VPN clients authenticated on AAA server

Tears4Fears · ‎09-16-2009

Hi NetPros

My objective is to assign static IP address for VPN clients.

The tunnel group authentication is on a AAA LDAP server.

AAA LDAP queries has been configured and tested to work.

I followed the guide below, but could not get static IP assignment to work.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html#wp41996

The tunnel group is configured to use the DHCP pool and the Group policy on ASA.

- If i do not specify dhcp pool, the error message is: "no assigned address"

- If i configure dhcp pool, the assigned address will be from the pool

Here are my queries on assigning a static IP for aaa-users:

1. Do you need to configure a external policy server for static IP assignment to work?

-I prefer to use the group policy on ASA

2. Under the tunnel profile, do you need to specify what DHCP pool to use? If yes, what do i specify?

3. Does DHCP service needs to be running on ldap server?

4. As per printscreen below, is Remote Access Policy required?

5. What am I missing out to make static IP assignment work?

Big thanks

Tears4Fears · ‎09-23-2009

Hi all

Thanks to friends working in Cisco, they have helped to identify the root cause.

The root cause was due to a misprint on the Cisco document.

The correct LDAP attribute is: msRASSavedFramedIPAddress. Note on the additional 'd' after the word, 'Frame'

In fact this LDAP attribute was also lacking of a 'd' on the ASDM scroll down selection. Would appreciate if someone relay the mistake to cisco personnel. Thanks all.