I configured an LDAP attribute map to get the IP address assignment from an AD users profile. When connecting with the AnyConnect client, this works. I do get the IP address that I assigned in AD. However, the subnet mask and default gateway are wrong. The mask ends up with a 255.0.0.0 and the gateway is 10.0.0.1. I should see a mask of 255.255.255.0 and a gateway of 10.6.28.1. They are correct when I let the ASA choose an address from the pool, but not when I have it configured for the static assignment. Is there some way to configure this so that they are correct when using the static assignment?
Solved! Go to Solution.
You would need to use an ldap attribute for netmask and map it to the ASA with "IETF-Radius-Framed-IP-Netmask" to assign the correct netmask.
I know all of the AnyConnect clients that connect to my ASA are goinf to be in a subnet with a 255.255.255.0 mask and gateway of 10.6.28.1.
Is there a way to configure the map in the ASA to provide those values specifically without trying to map something from AD?
No, you can't just push the subnet mask from the ASA while the ip address is assigned from the LDAP server.
You would need to map one of the ldap attribute to IETF-Radius-Framed-IP-Netmask to assign the correct subnet mask.
Suppose I used the department field. If for one user in AD I assign the value "255.255.255.0" to the department, map it to the Cisco subnet mask attribute, and it works for that user, what will happen to another user who has the value "accounting" in his department field? Will it try to map "accounting" to the subnet mask?
could I possibly make a attribute value map with a wildcard character? Perhaps map department to the subnet mask and then specify a attribute value map that would map "*" to "255.255.255.0" ?
Looking through the results of a debug on LDAP, I don't see any atribute that is passed referencing a "calling station ID".
Instead, I took the "co" attribute ( which is the country and should be the same for all users that I support ) and mapped it to the Cisco netmask attribute. Then I added an attribute value map and mapped the value "United States" to "255.255.255.0". This worked, and when I connected I got my static IP address and the correct subnet mask. My curiosity now is what happens to a user who connects and doesn't have a value corresponding to the "co" attribute? Does it simply ignore the map, or does it try to apply some default value to the map?
Hi fdouble08, how did you do that attribute in order to assign the correct mask to the ipsec tunnels?, please paste the related config.
I've only tried it with the SSL client so far.
Using the GUI, under "AAA Server Groups", select the LDAP server and the bottom dialogue is titled "LDAP Attribute Map". Open that dialogue and click on the "Add" button. Give the new map a name and then fill in the LDAP attribute and the ASA attribute that you want to map it to. In my case, I mapped the LDAP attribute "msRASSavedFramedIPAddress" to the ASA attribute "IETF-Radius-Framed-IP-Address". That get's the IP address assigned in the AD user profile "Dial-up" tab, "Static IP Address" field. It doesn't pass the subnet mask, which is where I ran into trouble. halijenn had suggested mapping a common user LDAP value. So, I captured an LDAP debug from the console to see what LDAP values were being passed to the ASA when I logged in. Since all of the users that I support ( with respect to my ASA ) are in the United States, I could count on their AD profile passing "United States" for the "co" attribute. So I added that to the map. Mapping the "co" LDAP attribute to "IETF-Radius-Framed-IP-Netmask", would pass "United States" to the subnet mask. Of course that would be wrong, so I selected the "mapping of attribute value" tab in the ASA GUI and entered the value map to change the value of "United States" to "255.255.255.0". So when a user connects, I'll pass the static ip address assigned in the AD user profile dial-up tab, and if their address is in the United States, we'll pass the subnet mask "255.255.255.0" to the client as well. If someone were to connect and had their address indicating a country of "Brazil" it would fail to pass the correct subnet mask. Of course, users from Brazil aren't supposed to connect to my ASA anyway, so it works for me! There are possibly more common LDAPvalues, but the country field in the adress field fit my needs.
Thanks for the reply.
My problem is ASA doesn't assign the static IP configured on LDAP server, it reads it ok but it always assigns an IP from the pool, this is my configuration, please take a look and tell me if you have any different on your appliance:
ldap attribute-map VPN
map-name msRADIUSFrameIPAddress IETF-Radius-Framed-IP-Address
aaa-server DIR_ACTIVO (inside) host x.x.x.x
sh run all vpn-addr-assign
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
If I remove the vpn-addr-assign local command the tunnel doesn't work cause ASA can't assign any IP address to the IPSec user.
Finally, how did you fix the issue about default gateway in this case?. ASA has an interface with 10.10.10.1 but once the tunnel is up I get 10.0.0.1 as default gateway (the pool is 10.10.10.0/24).
Thanks so much,
There is a typo in the documentation on the LDAP attribute.
Actually there are two that are passed that correspond to the static IP address. They both contain the same value.
They are msRADIUSFramedIPAddress and msRASSavedFramedIPAddress
In your config, you left out a letter "d" like the documentation did.
Right!!!. I added the 'd' on the filed and it works now
The next is how to configure to the IPSec tunnels the correct default gateway, it must be 10.10.10.1 (ASA) but the assigned is 10.0.0.1. I imagine ASA reads is from LDAP server, right?.
Yep. The ASA sends the default gateway as well. If the address is passed via LDAP then it appears that the ASA will send a mask & dg as well. If nothing is passed via LDAP map, then it makes some assumptions. When I used an LDAP attribute and value map, to send a subnet mask, the default gateway that was sent was correct as well. I figured it must have assumed that the dg was address 1 in the subnet of the assigned ip address. Luckily that is correct for my configuration. I didn't seen any Cisco attributes in the list that would refer to a default gateway being passed to the client.
I changed the IP on LDAP to 192.168.x.x. Now LDAP sends the correct mask and dg to ASA cause the range is class C. I don't understand why there is no exist a mask field and dg on LDAP. If it's mandatory you use a pool from class A, how do you configure the platform to work it?.
Thanks for your help
I found that another good attribute to use that is universal to all users is the sAMAccountType.
Just map the value of whatever your flavor of LDAP maps to "user object" to "<whatever subnet mask you want to use>" in the LDAP attribute map portion of ASDM.
I used ADSI Edit to find the value that my LDAP flavor used for the "user object" value.