ACS5.1 - AD and RADIUS attributes mapping

Answered Question
Aug 19th, 2010
User Badges:

hi,


I'm trying to dynamically assign  IP address for VPN users from AD (without IAS service). Is it possible???

I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it.

In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).


I have no problem (everything works just fine) with static address assignment in a way as below:


ScreenShot161.jpg

AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress


ScreenShot162.jpg

When I change "Attribute Value" from static to dynamic type I see  the option to select AD (but "Select" which should list all available attributes is empty)


ScreenShot163.jpg

Can this be done in this way or my concept is wrong???


I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it


regards and thx for any help


Przemek

Correct Answer by egasins about 5 years 8 months ago

Had the same problem with testing ACS5.2
MS AD attribute msRADIUSFramedIPAddress type is not IP address and value is strange decimal format of IP address. Attribute type you can change but value is problem to convert in normal IP format and its look like ACS not sending it.


Made solution this way:

1) In MS AD user attributes put IP address in any single text type attribute for example in attribute: City
2) In ACS select attribute l=xxx.xxx.xxx.xxx (l is MS AD attribute name for City)
   and then Edit this attribute and change type from string to IPv4 Address
3) Now You could see this attribute in Authorization Profiles when try to add dynamic value for Framed-IP-Address attribute and can map Framed-IP-Address to [AD=AD1]l


In our test environment (VPN on ASA with Radius Cisco ACS and users form MS AD) its working.

Correct Answer by jrabinow about 6 years 7 months ago

Your baisc approach is

correct. However, when you dynamically assign RADIUS attributes of type IP address in an authorization profile you only get presented for selection from attributes in the identity store (in this case AD) that are also of type IP address. In your example it is of type "integer64"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
jrabinow Thu, 08/19/2010 - 05:29
User Badges:
  • Cisco Employee,

Your baisc approach is

correct. However, when you dynamically assign RADIUS attributes of type IP address in an authorization profile you only get presented for selection from attributes in the identity store (in this case AD) that are also of type IP address. In your example it is of type "integer64"

Przemyslaw Konitz Thu, 08/19/2010 - 05:58
User Badges:

hmm,

so basically it can't be done due to a type mismatch? ASA can do such a mapping and ACS can't?

BTW why Microsoft use such a type for this field - its weird ...


Conclusion is that I need to use IAS Radius service?


regards

pbaleshenko Mon, 03/28/2011 - 08:36
User Badges:

Hi!


I got the same issue.

Have you achieved any success with it?


I've tried to change manually type of msRADIUSFramedIPAddress (from Integer64 to IPv4 Address) on Directory Attributes page at ACS. But it didn't help. Radius attribute was not sent and ACS monitoring said about mismatching types.

Przemyslaw Konitz Mon, 03/28/2011 - 12:06
User Badges:

Unfortunately not, so if you have more luck and find any solution give me a note 


regards

Correct Answer
egasins Tue, 07/05/2011 - 06:35
User Badges:

Had the same problem with testing ACS5.2
MS AD attribute msRADIUSFramedIPAddress type is not IP address and value is strange decimal format of IP address. Attribute type you can change but value is problem to convert in normal IP format and its look like ACS not sending it.


Made solution this way:

1) In MS AD user attributes put IP address in any single text type attribute for example in attribute: City
2) In ACS select attribute l=xxx.xxx.xxx.xxx (l is MS AD attribute name for City)
   and then Edit this attribute and change type from string to IPv4 Address
3) Now You could see this attribute in Authorization Profiles when try to add dynamic value for Framed-IP-Address attribute and can map Framed-IP-Address to [AD=AD1]l


In our test environment (VPN on ASA with Radius Cisco ACS and users form MS AD) its working.

Actions

This Discussion