Assigning Static IPs to VPN clients using AnyConnect w/Windows RADIUS
This might be somewhat esoteric, I can't seem to find any info on it, but if I missed a post or document somewhere, please by all means hook me up with a link!
We currently use Cisco ACS for Windows and a VPN Concentrator for our VPN solution. ACS allows us to assign static local IPs to incoming clients based on their login profile. This is great because it allows us IT folk (and some engineers) to keep our static IPs so that the firewalls allow us proper access to production, etc. when we VPN in.
My question/problem is 2-fold, but related.
1) How do we duplicate that sort of thing with Cisco ASA's using SSL? I managed to get WebVPN setup with AnyConnect and I can connect remotely and login with my ACS username/password (although the only way I can test is to RDP into our Geneva location and you can't run AnyConnect while VPN'd, but at least I get through the login and client install, which is promising). I can't seem to find any way to specific a static IP for specific logins.
2) We'd like to ditch the Cisco ACS and move to using our internal Windows Active Directory for a single-sign-on solution. Will I still be able to use the static IP assignment from question 1 if we do this? And... how *do* you do this? I designed the internal DC as a RADIUS server and thought it was configured right, but it still uses my ACS info when I try to VPN in.
Assigning Static IPs to VPN clients using AnyConnect w/Windows R
Thank you for your reply. I did find that vpn-addr-assign aaa was set for "no". I've looked through the ASDM and those instructions in that link, I must be missing something, how do I tell it where the RADIUS server is? It's currently using TACACS and pointing to the ACS server.
Do I have to keep the ACS? We're trying to ditch it, and point the firewall directly at the Windows domain controller. Is it necessary to have the ACS setup as a go-between? I'd prefer to point directly from the ASA to the Windows AD if possible.
This might help, this is chunks of the config that I thought might be relevant (there are 3 Site VPNs setup and the standard user VPN):
If possible, I'd like to keep the old, original Cisco client-based VPN up while activating the AnyConnect/WebVPN VPN.
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host X.X.X.14
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
crypto ipsec transform-set A esp-3des esp-md5-hmac
crypto ipsec transform-set B esp-3des esp-sha-hmac
If you point directly to AD, you can only perform authentication, I dont' believe that you can assign IP Address directly using LDAP as protocol which AD uses. However, you can enabled IAS service on your AD which run on Radius protocol and it can be used to assign IP address.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...