ASA VPN Radius Framed IP with IPEP

conleya · ‎09-13-2012

Is there a way to set the radius framed IP attribute to the value from Active Directory msRadiusFramedIP while using IPEP? I can't seem to add any attributes to the Inline Posture Node Profiles. I can set the radius framed IP under the regular Authorization Profiles, but can't seem to set any attribute values under Inline Posture Node Profiles.

Tarik Admani · ‎09-13-2012

Are you trying to assign an ip address to a client i.e. a vpn user? You should be able to send two authorization profiles down, in the initial "not compliant Ipep" profile and create another regular authorization profile which assigns the ip address to the user when they first authenticate. At that point on all attributes (dACLs should be sent to the ipep node).

Thanks,

Tarik Admani
*Please rate helpful posts*

conleya · ‎09-13-2012

Yes, I am trying to assign an IP address to the vpn client. In my authorization policy I have three policy rules, one for compliant, one for unknown, and one for non compliant. Can I use a non Inline Posture Node Profile for the compliant authorization policy rule? The Inline Posture Node Profiles only allow me to set the DACL and URL Redirect, they don't allow me to set any other attributes.

Tarik Admani · ‎09-13-2012

Well you have to look at it this way, any compliant profile will be done on the ipep node (which in this case is the gateway for the vpn users, the ASA doesnt even know that it exists.

My guess is that when you configure the authorization policy for the non compliant users (it will be best to set their ip address in the intial authorization profile, since the ASA doesnt support CoA. Is this in a test environment? If so, give this a try and see if the regular authorization policy is sent through the ipep node.

thanks,

Tarik Admani
*Please rate helpful posts*