08-19-2010 04:27 AM - edited 03-10-2019 05:20 PM
hi,
I'm trying to dynamically assign IP address for VPN users from AD (without IAS service). Is it possible???
I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it.
In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
I have no problem (everything works just fine) with static address assignment in a way as below:
AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
When I change "Attribute Value" from static to dynamic type I see the option to select AD (but "Select" which should list all available attributes is empty)
Can this be done in this way or my concept is wrong???
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it
regards and thx for any help
Przemek
Solved! Go to Solution.
08-19-2010 05:29 AM
Your baisc approach is
correct. However, when you dynamically assign RADIUS attributes of type IP address in an authorization profile you only get presented for selection from attributes in the identity store (in this case AD) that are also of type IP address. In your example it is of type "integer64"
07-05-2011 06:35 AM
Had the same problem with testing ACS5.2
MS AD attribute msRADIUSFramedIPAddress type is not IP address and value is strange decimal format of IP address. Attribute type you can change but value is problem to convert in normal IP format and its look like ACS not sending it.
Made solution this way:
1) In MS AD user attributes put IP address in any single text type attribute for example in attribute: City
2) In ACS select attribute l=xxx.xxx.xxx.xxx (l is MS AD attribute name for City)
and then Edit this attribute and change type from string to IPv4 Address
3) Now You could see this attribute in Authorization Profiles when try to add dynamic value for Framed-IP-Address attribute and can map Framed-IP-Address to [AD=AD1]l
In our test environment (VPN on ASA with Radius Cisco ACS and users form MS AD) its working.
08-19-2010 05:29 AM
Your baisc approach is
correct. However, when you dynamically assign RADIUS attributes of type IP address in an authorization profile you only get presented for selection from attributes in the identity store (in this case AD) that are also of type IP address. In your example it is of type "integer64"
08-19-2010 05:58 AM
hmm,
so basically it can't be done due to a type mismatch? ASA can do such a mapping and ACS can't?
BTW why Microsoft use such a type for this field - its weird ...
Conclusion is that I need to use IAS Radius service?
regards
03-28-2011 08:36 AM
Hi!
I got the same issue.
Have you achieved any success with it?
I've tried to change manually type of msRADIUSFramedIPAddress (from Integer64 to IPv4 Address) on Directory Attributes page at ACS. But it didn't help. Radius attribute was not sent and ACS monitoring said about mismatching types.
03-28-2011 12:06 PM
Unfortunately not, so if you have more luck and find any solution give me a note
regards
07-05-2011 06:35 AM
Had the same problem with testing ACS5.2
MS AD attribute msRADIUSFramedIPAddress type is not IP address and value is strange decimal format of IP address. Attribute type you can change but value is problem to convert in normal IP format and its look like ACS not sending it.
Made solution this way:
1) In MS AD user attributes put IP address in any single text type attribute for example in attribute: City
2) In ACS select attribute l=xxx.xxx.xxx.xxx (l is MS AD attribute name for City)
and then Edit this attribute and change type from string to IPv4 Address
3) Now You could see this attribute in Authorization Profiles when try to add dynamic value for Framed-IP-Address attribute and can map Framed-IP-Address to [AD=AD1]l
In our test environment (VPN on ASA with Radius Cisco ACS and users form MS AD) its working.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: