Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5961
Views
5
Helpful
4
Replies

Cisco ASA remote vpn static ip binding to users

Go to solution
mohamed fayz
Level 1
Level 1

‎08-03-2012 06:42 AM

Hai, Is there any possibility to statically ip binding for cisco ASA remote client users from dhcp pool which we are creating for vpn users??/please let me know your valid suggestions if possible.!!!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-03-2012 07:01 AM

That can't be done with DHCP. But your Authentication-Server can do that. If you authenticate local on the ASA, then specify the IP in the user-attributes, if you authenticate with RADIUS, you can send the Attribute "Framed-IP-Address" to assign the address.

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP
In response to mohamed fayz

‎08-03-2012 08:28 AM

That depends on the ACS-version and where your Users actually are (only on the ACS or in a remote Dictionary like Active Directory). For external User-Databases keep in mind that only the authentication is remote and that authorization always happens on the ACS.

For ACS5 with a remote Server there is a very good document here on the supportforum:

https://supportforums.cisco.com/servlet/JiveServlet/download/3560153-122378/IP%20assignment%20using%20an%20External%20server%20on%20ACS%205.pdf

The Author in the document is "maujimen" so credit goes to him for that.

If you don't use an external dictionary just skip everything with ACS4 (which is the external database), If you use AD you can exchange ACS4 with your AD.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎08-03-2012 07:01 AM

That can't be done with DHCP. But your Authentication-Server can do that. If you authenticate local on the ASA, then specify the IP in the user-attributes, if you authenticate with RADIUS, you can send the Attribute "Framed-IP-Address" to assign the address.

Go to solution
mohamed fayz
Level 1
Level 1
In response to Karsten Iwen

‎08-03-2012 07:29 AM

Hi karsten.iwen

you are correct. i got command vpn-framed-ip address command using user attributes if authentication is locally on asa. but if i am authenticating through radius(acs), where i need to apply this attribute??

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mohamed fayz

‎08-03-2012 08:28 AM

That depends on the ACS-version and where your Users actually are (only on the ACS or in a remote Dictionary like Active Directory). For external User-Databases keep in mind that only the authentication is remote and that authorization always happens on the ACS.

For ACS5 with a remote Server there is a very good document here on the supportforum:

https://supportforums.cisco.com/servlet/JiveServlet/download/3560153-122378/IP%20assignment%20using%20an%20External%20server%20on%20ACS%205.pdf

The Author in the document is "maujimen" so credit goes to him for that.

If you don't use an external dictionary just skip everything with ACS4 (which is the external database), If you use AD you can exchange ACS4 with your AD.

0 Helpful

Go to solution
rchockeelopez
Level 1
Level 1

‎04-05-2017 02:58 PM

Hi, This is the topology. Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.

Internet ----- ASA ------ LAN --- ISE and Windows DHCP Server.

Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents