cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6902
Views
5
Helpful
20
Replies

Assign static IP through LDAP

Hi all:

I wonder if it's possible to assign a VPN user a static IP. The authentication is done via LDAP and I saw, on LDAP server, there is a field where you can configure an IP address, is it possible ASA to read it and assign it to the user or it has to be configured on ASA?.

Thanks so much,

Francisco

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, only 1 attribute map is allowed per LDAP server.

However, you can configure multiple map-name and map-value within the attribute map.

View solution in original post

20 Replies 20

Jennifer Halim
Cisco Employee
Cisco Employee

Thanks halijenn is it also valid for IPSec tunnels?, in the example goes directed to anyconnect...

Forget this question, I saw the solution:


"This case applies to full-tunnel clients,  including the IPSec client and the SSL VPN clients"

Many many thanks!!

One question arised while I was reading the document you posted, only one LDAP Attribute Map is permitted to configure for each LDAP server?

Yes, only 1 attribute map is allowed per LDAP server.

However, you can configure multiple map-name and map-value within the attribute map.

Hello:

I already configured all necesary on ASA in order to assign static IP on IPSec tunnels but it doesn't work.

On ASA:

ldap attribute-map VPN

  map-name  msRADIUSFrameIPAddress IETF-Radius-Framed-IP-Address

aaa-server LDAP (inside) host x.x.x.x
.

.

.

.
ldap-attribute-map VPN

The vpn-addr-assign aaa is also configured.

On LDAP server, on Dial-In tab is marked the third option Control Access through Remote Access Policy (also I tried checking Allow access option) and the IP is configured but it doesnt work.

I launched a debug ldap 255 and I could see the value that ASA is reading on that field is negative:

msRADIUSFramedIPAddress: value = -1062723846

Any idea?.

Thanks a lot,

Francisco

LDAP server assigns IP address like an integer value, is it normal?, I mean, ASA would be able to read it in normal conditions?.

The ASA version is 8.0(4), I don't know why, in the bug page, it appears that it's fixed on 7.0(7.11), for instance.

Francisco

What ip address do you use to assign to the vpn client? Can you try anything below "127.255.255.255" just for testing?If it works, seems that 8.0.4 is still affected by the bug.

Ok I'll check with the customer if it's possible.

Then, ASA is able to read the integer value from LDAP server and transform it to an IP address in a normal scenario?.

Thanks

Yes, the ASA can read the integer from LDAP server and it gets converted to ip address to be assigned to the vpn client.

Confirmed, this version is affected by the bug.

Many thanks, again, for your help

Thanks for the confirmation. Cheers.

Sorry for bothering again. Even thought ASA reads ok the attribute on LDAP:

msRADIUSFramedIPAddress: value = 168430330 -->>10.10.10.250

it assigns the first free IP on pool, I don'k know why

I don't know if it affects:

portico# show run all vpn-addr-assign
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
portico#

Now the mask assigned is Class A instead of /24 and the default gateway is not ASA (10.10.10.1), it's 10.0.0.1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: