Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Assigning Static IPs to VPN clients using AnyConnect w/Windows RADIUS

Hello!

    This might be somewhat esoteric, I can't seem to find any info on it, but if I missed a post or document somewhere, please by all means hook me up with a link!

     We currently use Cisco ACS for Windows and a VPN Concentrator for our VPN solution.  ACS allows us to assign static local IPs to incoming clients based on their login profile.  This is great because it allows us IT folk (and some engineers) to keep our static IPs so that the firewalls allow us proper access to production, etc. when we VPN in.

My question/problem is 2-fold, but related.

1) How do we duplicate that sort of thing with Cisco ASA's using SSL?  I managed to get WebVPN setup with AnyConnect and I can connect remotely and login with my ACS username/password (although the only way I can test is to RDP into our Geneva location and you can't run AnyConnect while VPN'd, but at least I get through the login and client install, which is promising).  I can't seem to find any way to specific a static IP for specific logins.

2) We'd like to ditch the Cisco ACS and move to using our internal Windows Active Directory for a single-sign-on solution.  Will I still be able to use the static IP assignment from question 1 if we do this?  And... how *do* you do this?  I designed the internal DC as a RADIUS server and thought it was configured right, but it still uses my ACS info when I try to VPN in.

Thank you ahead of time!

Isaac

  • VPN
3 REPLIES
Cisco Employee

Assigning Static IPs to VPN clients using AnyConnect w/Windows R

1) On the ASA, you can change the address assignment from local pool, to AAA assign.

Command: vpn-addr-assign aaa:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1644603

I assume that you already know how to configure the ACS server since you've already used the same for your VPN Concentrator.

2) Same as above, since you are using the same radius protocol, all need is to enable address assignment AAA for VPN.

Hope that answers your questions.

New Member

Assigning Static IPs to VPN clients using AnyConnect w/Windows R

Hi Jennifer,

     Thank you for your reply.  I did find that vpn-addr-assign aaa was set for "no".  I've looked through the ASDM and those instructions in that link, I must be missing something, how do I tell it where the RADIUS server is?  It's currently using TACACS and pointing to the ACS server. 

     Do I have to keep the ACS?  We're trying to ditch it, and point the firewall directly at the Windows domain controller.  Is it necessary to have the ACS setup as a go-between?  I'd prefer to point directly from the ASA to the Windows AD if possible.

     This might help, this is chunks of the config that I thought might be relevant (there are 3 Site VPNs setup and the standard user VPN):

     If possible, I'd like to keep the old, original Cisco client-based VPN up while activating the AnyConnect/WebVPN VPN.

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host X.X.X.14

key *****

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

crypto ipsec transform-set A esp-3des esp-md5-hmac

crypto ipsec transform-set B esp-3des esp-sha-hmac

crypto ipsec transform-set C esp-des esp-md5-hmac

crypto ipsec transform-set ClientlessVPN esp-3des esp-md5-hmac

crypto ipsec transform-set ClientlessVPN mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map hood 1 match address 101

crypto map hood 1 set peer A.A.A.4

crypto map hood 1 set transform-set snowyway

crypto map hood 2 match address 104

crypto map hood 2 set peer B.B.B.67

crypto map hood 2 set transform-set waltham

crypto map hood 3 match address 105

crypto map hood 3 set peer C.C.C.66

crypto map hood 3 set transform-set waltham

crypto map hood interface outside

crypto ca trustpoint L-TP

enrollment self

crl configure

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 1000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

~

webvpn

enable outside

svc image disk0:/anyconnect-win-3.0.07059-k9.pkg 1

svc profiles WebVPN disk0:/webvpn.xml

svc enable

tunnel-group-list enable

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

dns-server value X.X.X.6 X.X.X.11

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value phtcorp.com

webvpn

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc profiles value WebVPN type user

  svc ask enable default svc timeout 10

  always-on-vpn profile-setting

~

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool WebVPN

authentication-server-group TACACS+

default-group-policy GroupPolicy1

tunnel-group DefaultWEBVPNGroup webvpn-attributes

nbns-server X.X.X.11 master timeout 2 retry 2

Cisco Employee

Assigning Static IPs to VPN clients using AnyConnect w/Windows R

Here is a sample configuration to use ACS radius as authentication:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

If you point directly to AD, you can only perform authentication, I dont' believe that you can assign IP Address directly using LDAP as protocol which AD uses. However, you can enabled IAS service on your AD which run on Radius protocol and it can be used to assign IP address.

3770
Views
0
Helpful
3
Replies
This widget could not be displayed.