04-23-2010 01:39 AM
Hi all:
I wonder if it's possible to assign a VPN user a static IP. The authentication is done via LDAP and I saw, on LDAP server, there is a field where you can configure an IP address, is it possible ASA to read it and assign it to the user or it has to be configured on ASA?.
Thanks so much,
Francisco
Solved! Go to Solution.
04-23-2010 04:40 AM
Yes, it is possible.
Here is the sample configuration:
Hope that helps.
04-23-2010 05:26 AM
Yes, only 1 attribute map is allowed per LDAP server.
However, you can configure multiple map-name and map-value within the attribute map.
04-26-2010 04:51 AM
Looks like you are hitting bugID: CSCsm00894:
04-23-2010 04:40 AM
Yes, it is possible.
Here is the sample configuration:
Hope that helps.
04-23-2010 04:46 AM
Thanks halijenn is it also valid for IPSec tunnels?, in the example goes directed to anyconnect...
Forget this question, I saw the solution:
"This case applies to full-tunnel clients, including the IPSec client and the SSL VPN clients"
Many many thanks!!
04-23-2010 05:00 AM
One question arised while I was reading the document you posted, only one LDAP Attribute Map is permitted to configure for each LDAP server?
04-23-2010 05:26 AM
Yes, only 1 attribute map is allowed per LDAP server.
However, you can configure multiple map-name and map-value within the attribute map.
04-23-2010 05:36 AM
Perfect
04-26-2010 04:14 AM
Hello:
I already configured all necesary on ASA in order to assign static IP on IPSec tunnels but it doesn't work.
On ASA:
ldap attribute-map VPN
map-name msRADIUSFrameIPAddress IETF-Radius-Framed-IP-Address
aaa-server LDAP (inside) host x.x.x.x
.
.
.
.
ldap-attribute-map VPN
The vpn-addr-assign aaa is also configured.
On LDAP server, on Dial-In tab is marked the third option Control Access through Remote Access Policy (also I tried checking Allow access option) and the IP is configured but it doesnt work.
I launched a debug ldap 255 and I could see the value that ASA is reading on that field is negative:
msRADIUSFramedIPAddress: value = -1062723846
Any idea?.
Thanks a lot,
Francisco
04-26-2010 04:51 AM
Looks like you are hitting bugID: CSCsm00894:
04-26-2010 05:05 AM
LDAP server assigns IP address like an integer value, is it normal?, I mean, ASA would be able to read it in normal conditions?.
The ASA version is 8.0(4), I don't know why, in the bug page, it appears that it's fixed on 7.0(7.11), for instance.
Francisco
04-26-2010 05:11 AM
What ip address do you use to assign to the vpn client? Can you try anything below "127.255.255.255" just for testing?If it works, seems that 8.0.4 is still affected by the bug.
04-26-2010 05:45 AM
Ok I'll check with the customer if it's possible.
Then, ASA is able to read the integer value from LDAP server and transform it to an IP address in a normal scenario?.
Thanks
04-26-2010 06:18 AM
Yes, the ASA can read the integer from LDAP server and it gets converted to ip address to be assigned to the vpn client.
04-26-2010 06:29 AM
Confirmed, this version is affected by the bug.
Many thanks, again, for your help
04-26-2010 06:31 AM
Thanks for the confirmation. Cheers.
04-26-2010 06:55 AM
Sorry for bothering again. Even thought ASA reads ok the attribute on LDAP:
msRADIUSFramedIPAddress: value = 168430330 -->>10.10.10.250
it assigns the first free IP on pool, I don'k know why
I don't know if it affects:
portico# show run all vpn-addr-assign
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
portico#
Now the mask assigned is Class A instead of /24 and the default gateway is not ASA (10.10.10.1), it's 10.0.0.1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: