topic Re: Question: how to assign VPN IP to VPN client user using ACS in Network Access Control

Question: how to assign VPN IP to VPN client user using ACS 5.4?

josephqiu — Mon, 11 Mar 2019 03:31:07 GMT

I'm new to ACS5.4. What I'm trying to achieve is to let ACS5.4 assign IP's to users who connect to our ASA using Cisco VPN client. ASA is running as Radius client of ACS5.4, and we've tested successfully for Radius authentication. But users are still getting "unknown error" in VPN client, after authenticating successfully. I suspect I probably used incorrect RADIUS attributes in authorization policy. Here's what I did:

1. In policy elements -> authorization and permissions -> network access -> authorization profiles, I created a new profile, and that profile calls the Radius attribute CVPN3000/ASA/PIX7.x-DHCP-Network-Scope. An IP address is entered under that attribute as a static value.

2. Then, in access policies -> access services -> IPSec VPN client with Radius (this is the policy I created) -> authorization, I created an authorization policy that allow the RADIUS profile created earlier to be used.

Did I miss anything? Maybe I picked the wrong RADIUS attribute? Thanks in advance for any help!

Re: Question: how to assign VPN IP to VPN client user using ACS

Jatin Katyal — Thu, 06 Jun 2013 20:12:27 GMT

ACS 5 doesn't have ability to provide IP addresses from IP address pools defined in ACS.

You need to assign static user on per user basis on ACS 5. You may also create a pool on the ASA and push the pool name from ACS 5

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp216411

Jatin Katyal
- Do rate helpful posts -

Question: how to assign VPN IP to VPN client user using ACS 5.4?

josephqiu — Thu, 06 Jun 2013 20:17:07 GMT

You are absolutely right!! I was doing research online after posting the above. The correct RADIUS attribute to use is actually CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools. Then create the pool in ASA, and call that pool's name in ACS under that RADIUS attribute. Someone explained this perfectly in this community before. Much appreciate your answer!

Here's from another post last year:

ACS 5 does not have the feature of IP pools. Logically its always good to setup pools locally on vpn server and if you want user to pick ip from specific local pool you can configure acs to push that attribute.

On ACS Go to > Policy Elements  -> Network Access ->   Authorization Profiles -> Create ->
Name of the Policy ->Dictionary Type: Radius-Cisco VPN 3000/ASA/PIX7.x

Attribute Type : CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools 
Attribute Type: String
Attribute Value : Static MYPOOL (Name of the Pool which is defined on the ASA)

Access Policies ->Default Network Access -> Authorization ->  Create -> Under result section call the Authorization p

Question: how to assign VPN IP to VPN client user using ACS 5.4?

Jatin Katyal — Thu, 06 Jun 2013 23:30:06 GMT

Your welcome! Well, this is from the begining since ACS 5.x launched. With the above steps, could say that you're on the right path.

Jatin Katyal
- Do rate helpful posts -

Question: how to assign VPN IP to VPN client user using ACS 5.4?

codewize — Thu, 12 Dec 2013 16:02:35 GMT

I'd really like to see the rest of that text. It seems to have been cut off

Question: how to assign VPN IP to VPN client user using ACS 5.4?

edwjames — Thu, 12 Dec 2013 20:47:39 GMT

Codewize,

Access Policies ->Default Network Access -> Authorization ->  Create -> 
Under result section call the Authorization policy that you created before.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed