Where to set clinet netmask in ASA, MSAD, split-tunnel, static IP from LDAP environment

Unanswered Question
Jul 1st, 2010
User Badges:


I'm having a problem to set the netmask für SVC (anyconnect) clients when using a static IP assignment from MSAD via LDAP.

The schemata within MS AD has no netmask attribute.

We assign a 10.x.x.x address in the MS AD Dial-Up tab.

This results in that the client uses as the corresponding netmask which generates a dynamic route of into the SVC tunnel.

In split-tunnel situation, this is not the desired result.

We need to set the clients netmask to or even

How can this be done?


ldap attribute-map TCCustLDAPAttrMap
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address

aaa-server RADIUS_LDAP2 host
server-port 636
ldap-base-dn dc=rz,dc=tc,dc=corp
ldap-scope subtree
ldap-login-password *
ldap-login-dn CN=S_ASA_Auth2,ou=S_Group,DC=rz,DC=tc,DC=corp
ldap-over-ssl enable
server-type openldap
ldap-attribute-map TCCustLDAPAttrMap

crypto ca certificate map TCCertMap 20
subject-name attr ou eq ou_tc_sslvpn-1

enable outside
default-idle-timeout 3600
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
certificate-group-map TCCertMap 20 OU_TC_SSLVPN-1

group-policy OU_TC_SSLVPN-1-GrpPol internal
group-policy OU_TC_SSLVPN-1-GrpPol attributes
vpn-simultaneous-logins 500
vpn-idle-timeout none
vpn-filter value CustSslVpnAcl1
vpn-tunnel-protocol svc
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ssl-vpn-acl
user-authentication-idle-timeout none
  svc keepalive 60
  svc rekey method ssl
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
  customization value DfltCustomization

tunnel-group OU_TC_SSLVPN-1 type remote-access
tunnel-group OU_TC_SSLVPN-1 general-attributes
authorization-server-group RADIUS_LDAP2
default-group-policy OU_TC_SSLVPN-1-GrpPol
authorization-dn-attributes CN
tunnel-group OU_TC_SSLVPN-1 webvpn-attributes
authentication certificate
tunnel-group-map enable rules

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
christian.kupfe... Fri, 07/02/2010 - 12:19
User Badges:

Thanx a lot Michael.

Now I use

ldap attribute-map TCCustLDAPAttrMap
  map-name  msRADIUSCallbackNumber IETF-Radius-Framed-IP-Netmask
  map-value msRADIUSCallbackNumber 23 4294966784
  map-value msRADIUSCallbackNumber 32 4294967295

So I use the Callback Field on the dial-in Tab on the User Properties to enter the bit lengt of the mask and mapp it to IETF-Radius-Framed-IP-Netmask.

Seems to work fine.

Again, thanks for the answer.

regards, chris

Michael Dombek Fri, 07/02/2010 - 13:00
User Badges:

Happy to here that it worked for you too.

Please rate the original post from
fdouble08 and halijenn

cheers Michael


This Discussion