cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3053
Views
10
Helpful
5
Replies

ACS5.1 - AD and RADIUS attributes mapping

hi,

I'm trying to dynamically assign  IP address for VPN users from AD (without IAS service). Is it possible???

I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it.

In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).

I have no problem (everything works just fine) with static address assignment in a way as below:

ScreenShot161.jpg

AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress

ScreenShot162.jpg

When I change "Attribute Value" from static to dynamic type I see  the option to select AD (but "Select" which should list all available attributes is empty)

ScreenShot163.jpg

Can this be done in this way or my concept is wrong???

I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it

regards and thx for any help

Przemek

2 Accepted Solutions

Accepted Solutions

jrabinow
Level 7
Level 7

Your baisc approach is

correct. However, when you dynamically assign RADIUS attributes of type IP address in an authorization profile you only get presented for selection from attributes in the identity store (in this case AD) that are also of type IP address. In your example it is of type "integer64"

View solution in original post

Had the same problem with testing ACS5.2
MS AD attribute msRADIUSFramedIPAddress type is not IP address and value is strange decimal format of IP address. Attribute type you can change but value is problem to convert in normal IP format and its look like ACS not sending it.

Made solution this way:

1) In MS AD user attributes put IP address in any single text type attribute for example in attribute: City
2) In ACS select attribute l=xxx.xxx.xxx.xxx (l is MS AD attribute name for City)
   and then Edit this attribute and change type from string to IPv4 Address
3) Now You could see this attribute in Authorization Profiles when try to add dynamic value for Framed-IP-Address attribute and can map Framed-IP-Address to [AD=AD1]l

In our test environment (VPN on ASA with Radius Cisco ACS and users form MS AD) its working.

View solution in original post

5 Replies 5

jrabinow
Level 7
Level 7

Your baisc approach is

correct. However, when you dynamically assign RADIUS attributes of type IP address in an authorization profile you only get presented for selection from attributes in the identity store (in this case AD) that are also of type IP address. In your example it is of type "integer64"

hmm,

so basically it can't be done due to a type mismatch? ASA can do such a mapping and ACS can't?

BTW why Microsoft use such a type for this field - its weird ...

Conclusion is that I need to use IAS Radius service?

regards

Hi!

I got the same issue.

Have you achieved any success with it?

I've tried to change manually type of msRADIUSFramedIPAddress (from Integer64 to IPv4 Address) on Directory Attributes page at ACS. But it didn't help. Radius attribute was not sent and ACS monitoring said about mismatching types.

Unfortunately not, so if you have more luck and find any solution give me a note 

regards

Had the same problem with testing ACS5.2
MS AD attribute msRADIUSFramedIPAddress type is not IP address and value is strange decimal format of IP address. Attribute type you can change but value is problem to convert in normal IP format and its look like ACS not sending it.

Made solution this way:

1) In MS AD user attributes put IP address in any single text type attribute for example in attribute: City
2) In ACS select attribute l=xxx.xxx.xxx.xxx (l is MS AD attribute name for City)
   and then Edit this attribute and change type from string to IPv4 Address
3) Now You could see this attribute in Authorization Profiles when try to add dynamic value for Framed-IP-Address attribute and can map Framed-IP-Address to [AD=AD1]l

In our test environment (VPN on ASA with Radius Cisco ACS and users form MS AD) its working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: