Solved: Question: how to assign VPN IP to VPN client user using ACS 5.4?

josephqiu · ‎06-06-2013

I'm new to ACS5.4. What I'm trying to achieve is to let ACS5.4 assign IP's to users who connect to our ASA using Cisco VPN client. ASA is running as Radius client of ACS5.4, and we've tested successfully for Radius authentication. But users are still getting "unknown error" in VPN client, after authenticating successfully. I suspect I probably used incorrect RADIUS attributes in authorization policy. Here's what I did:

1. In policy elements -> authorization and permissions -> network access -> authorization profiles, I created a new profile, and that profile calls the Radius attribute CVPN3000/ASA/PIX7.x-DHCP-Network-Scope. An IP address is entered under that attribute as a static value.

2. Then, in access policies -> access services -> IPSec VPN client with Radius (this is the policy I created) -> authorization, I created an authorization policy that allow the RADIUS profile created earlier to be used.

Did I miss anything? Maybe I picked the wrong RADIUS attribute? Thanks in advance for any help!

Jatin Katyal · ‎06-06-2013

ACS 5 doesn't have ability to provide IP addresses from IP address pools defined in ACS.

You need to assign static user on per user basis on ACS 5. You may also create a pool on the ASA and push the pool name from ACS 5

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp216411

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎06-06-2013

ACS 5 doesn't have ability to provide IP addresses from IP address pools defined in ACS.

You need to assign static user on per user basis on ACS 5. You may also create a pool on the ASA and push the pool name from ACS 5

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp216411

Jatin Katyal
- Do rate helpful posts -

~Jatin

josephqiu · ‎06-06-2013

You are absolutely right!! I was doing research online after posting the above. The correct RADIUS attribute to use is actually CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools. Then create the pool in ASA, and call that pool's name in ACS under that RADIUS attribute. Someone explained this perfectly in this community before. Much appreciate your answer!

Here's from another post last year:

ACS 5 does not have the feature of IP pools. Logically its always good to setup pools locally on vpn server and if you want user to pick ip from specific local pool you can configure acs to push that attribute.

On ACS Go to > Policy Elements  -> Network Access ->   Authorization Profiles -> Create ->
Name of the Policy ->Dictionary Type: Radius-Cisco VPN 3000/ASA/PIX7.x

Attribute Type : CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools 
Attribute Type: String
Attribute Value : Static MYPOOL (Name of the Pool which is defined on the ASA)

Access Policies ->Default Network Access -> Authorization ->  Create -> Under result section call the Authorization p

Jatin Katyal · ‎06-06-2013

Your welcome! Well, this is from the begining since ACS 5.x launched. With the above steps, could say that you're on the right path.

Jatin Katyal
- Do rate helpful posts -

~Jatin

codewize · ‎12-12-2013

I'd really like to see the rest of that text. It seems to have been cut off

edwjames · ‎12-12-2013

Codewize,

Access Policies ->Default Network Access -> Authorization ->  Create -> 
Under result section call the Authorization policy that you created before.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed