Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Assign static IP through LDAP

Hi all:

I wonder if it's possible to assign a VPN user a static IP. The authentication is done via LDAP and I saw, on LDAP server, there is a field where you can configure an IP address, is it possible ASA to read it and assign it to the user or it has to be configured on ASA?.

Thanks so much,

Francisco

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Assign static IP through LDAP

Cisco Employee

Re: Assign static IP through LDAP

Yes, only 1 attribute map is allowed per LDAP server.

However, you can configure multiple map-name and map-value within the attribute map.

Cisco Employee

Re: Assign static IP through LDAP

20 REPLIES
Cisco Employee

Re: Assign static IP through LDAP

Re: Assign static IP through LDAP

Thanks halijenn is it also valid for IPSec tunnels?, in the example goes directed to anyconnect...

Forget this question, I saw the solution:


"This case applies to full-tunnel clients,  including the IPSec client and the SSL VPN clients"

Many many thanks!!

Re: Assign static IP through LDAP

One question arised while I was reading the document you posted, only one LDAP Attribute Map is permitted to configure for each LDAP server?

Cisco Employee

Re: Assign static IP through LDAP

Yes, only 1 attribute map is allowed per LDAP server.

However, you can configure multiple map-name and map-value within the attribute map.

Re: Assign static IP through LDAP

Perfect

Re: Assign static IP through LDAP

Hello:

I already configured all necesary on ASA in order to assign static IP on IPSec tunnels but it doesn't work.

On ASA:

ldap attribute-map VPN

  map-name  msRADIUSFrameIPAddress IETF-Radius-Framed-IP-Address

aaa-server LDAP (inside) host x.x.x.x
.

.

.

.
ldap-attribute-map VPN

The vpn-addr-assign aaa is also configured.

On LDAP server, on Dial-In tab is marked the third option Control Access through Remote Access Policy (also I tried checking Allow access option) and the IP is configured but it doesnt work.

I launched a debug ldap 255 and I could see the value that ASA is reading on that field is negative:

msRADIUSFramedIPAddress: value = -1062723846

Any idea?.

Thanks a lot,

Francisco

Cisco Employee

Re: Assign static IP through LDAP

Re: Assign static IP through LDAP

LDAP server assigns IP address like an integer value, is it normal?, I mean, ASA would be able to read it in normal conditions?.

The ASA version is 8.0(4), I don't know why, in the bug page, it appears that it's fixed on 7.0(7.11), for instance.

Francisco

Cisco Employee

Re: Assign static IP through LDAP

What ip address do you use to assign to the vpn client? Can you try anything below "127.255.255.255" just for testing?If it works, seems that 8.0.4 is still affected by the bug.

Re: Assign static IP through LDAP

Ok I'll check with the customer if it's possible.

Then, ASA is able to read the integer value from LDAP server and transform it to an IP address in a normal scenario?.

Thanks

Cisco Employee

Re: Assign static IP through LDAP

Yes, the ASA can read the integer from LDAP server and it gets converted to ip address to be assigned to the vpn client.

Re: Assign static IP through LDAP

Confirmed, this version is affected by the bug.

Many thanks, again, for your help

Cisco Employee

Re: Assign static IP through LDAP

Thanks for the confirmation. Cheers.

Re: Assign static IP through LDAP

Sorry for bothering again. Even thought ASA reads ok the attribute on LDAP:

msRADIUSFramedIPAddress: value = 168430330 -->>10.10.10.250

it assigns the first free IP on pool, I don'k know why

I don't know if it affects:

portico# show run all vpn-addr-assign
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
portico#

Now the mask assigned is Class A instead of /24 and the default gateway is not ASA (10.10.10.1), it's 10.0.0.1

Cisco Employee

Re: Assign static IP through LDAP

Unfortunately, LDAP server does not automatically assign the correct subnet mask to the vpn client. You would need to configure the following attribute map "IETF-Radius-Framed-IP-Netmask".

You can use common attribute, for example calling station ID (which is always going to be the ASA ip address) and assign the right subnet mask of 255.255.255.0 using the "IETF-Radius-Framed-IP-Netmask"

Re: Assign static IP through LDAP

...and what about ASA doesn't assign the correct IP although it reads ok the parameter on LDAP server?    

Cisco Employee

Re: Assign static IP through LDAP

You should remove the following:

vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0

as you are assigning ip from aaa, you should only have "vpn-addr-assign aaa"

Re: Assign static IP through LDAP

Sorry but I didn't understand you. How can I know what's the attribute name on LDAP for netmask, I was searching but I didn't find it.

I don't know what's the calling station id attribute, is it the map-name?

Edit: If a remove the vpn-addr-assign local reuse-delay 0 command the tunnel doesn't work, that is, ASA doesn't assign the IP from LDAP server...

New Member

Assign static IP through LDAP

Hi Francisco,

Did you manage to get the configuration working?

I intend to do similar things as you also.

Only different is that my IP are static host IP.

Error log:

<188>:Nov 30 01:12:27 SGT: %ASA-ipaa-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools

<189>:Nov 30 01:12:31 SGT: %ASA-ipaa-5-737007: IPAA: Local pool request failed for tunnel-group 'DefaultWEBVPNGroup'

<188>:Nov 30 01:12:31 SGT: %ASA-ipaa-4-737012: IPAA: Address assignment failed

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-750006: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 SA UP. Reason: New Connection Established

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-751007: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 Configured attribute not supported for IKEv2. Attribute: IP Compression

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-751007: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 Configured attribute not supported for IKEv2. Attribute: Auth on Rekey

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-751007: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 Configured attribute not supported for IKEv2. Attribute: NAC

User authentication was successful.

[40] Processing LDAP response for user user1

[40] Message (user1):

[40] Authentication successful for user1 to 192.168.1.11

Assign static IP through LDAP

Hello limlayhin

Yes, it worked but I don't remember how. I hope someone could help you in this matter.

Sorry and regards

2917
Views
5
Helpful
20
Replies
CreatePlease to create content