Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1708
Views
0
Helpful
3
Replies

Where to set clinet netmask in ASA, MSAD, split-tunnel, static IP from LDAP environment

christian.kupferschmid
Level 1
Level 1

‎07-01-2010 04:03 AM - edited ‎03-10-2019 05:13 PM

Hi

I'm having a problem to set the netmask für SVC (anyconnect) clients when using a static IP assignment from MSAD via LDAP.

The schemata within MS AD has no netmask attribute.

We assign a 10.x.x.x address in the MS AD Dial-Up tab.

This results in that the client uses 255.0.0.0 as the corresponding netmask which generates a dynamic route of 10.0.0.0/8 into the SVC tunnel.

In split-tunnel situation, this is not the desired result.

We need to set the clients netmask to 255.255.254.0 or even 255.255.255.255

How can this be done?

---

ldap attribute-map TCCustLDAPAttrMap
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address

aaa-server RADIUS_LDAP2 host 10.238.60.44
server-port 636
ldap-base-dn dc=rz,dc=tc,dc=corp
ldap-scope subtree
ldap-login-password *
ldap-login-dn CN=S_ASA_Auth2,ou=S_Group,DC=rz,DC=tc,DC=corp
ldap-over-ssl enable
server-type openldap
ldap-attribute-map TCCustLDAPAttrMap

crypto ca certificate map TCCertMap 20
subject-name attr ou eq ou_tc_sslvpn-1

webvpn
enable outside
default-idle-timeout 3600
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
certificate-group-map TCCertMap 20 OU_TC_SSLVPN-1

group-policy OU_TC_SSLVPN-1-GrpPol internal
group-policy OU_TC_SSLVPN-1-GrpPol attributes
vpn-simultaneous-logins 500
vpn-idle-timeout none
vpn-filter value CustSslVpnAcl1
vpn-tunnel-protocol svc
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ssl-vpn-acl
user-authentication-idle-timeout none
webvpn
  svc keepalive 60
  svc rekey method ssl
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
  customization value DfltCustomization

tunnel-group OU_TC_SSLVPN-1 type remote-access
tunnel-group OU_TC_SSLVPN-1 general-attributes
authorization-server-group RADIUS_LDAP2
default-group-policy OU_TC_SSLVPN-1-GrpPol
authorization-required
authorization-dn-attributes CN
tunnel-group OU_TC_SSLVPN-1 webvpn-attributes
authentication certificate
tunnel-group-map enable rules

Labels:
0 Helpful
3 Replies 3

Michael Dombek
Level 1
Level 1

‎07-02-2010 12:06 PM

I've had this problem with the subnet mask assigning like you do, but found this thread and especialy this post

https://cisco-support.hosted.jivesoftware.com/message/3061163#3061163

and it worked for me

hope this helps you too

cheers michael

0 Helpful

christian.kupferschmid
Level 1
Level 1
In response to Michael Dombek

‎07-02-2010 12:19 PM

Thanx a lot Michael.

Now I use

ldap attribute-map TCCustLDAPAttrMap
  map-name  msRADIUSCallbackNumber IETF-Radius-Framed-IP-Netmask
  map-value msRADIUSCallbackNumber 23 4294966784
  map-value msRADIUSCallbackNumber 32 4294967295

So I use the Callback Field on the dial-in Tab on the User Properties to enter the bit lengt of the mask and mapp it to IETF-Radius-Framed-IP-Netmask.

Seems to work fine.

Again, thanks for the answer.

regards, chris

0 Helpful

Michael Dombek
Level 1
Level 1
In response to christian.kupferschmid

‎07-02-2010 01:00 PM

Happy to here that it worked for you too.

Please rate the original post from
fdouble08 and halijenn

cheers Michael

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents