Re: Cisco Firepower 2100 , Remote access VPN Static IP address assigment

anilkumar.cisco · ‎03-20-2020

hello Team,

In FTD remote VPN is working perfectly.. and users are getting IP address as per the VPN profile..

the problem is that.. how should the same would work with static IP address..

As per the India DOT guidelines, the customer need to have static IP rather then DHCP.. so need your help how to configure it..

the Users are getting authenticated to LDAP via ACS(Radius)

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco Firepower 2110 Threat Defense v6.2.3 (build 83)

Best Regards

Anil singh

Rob Ingram · ‎03-20-2020

Hi,

This link is for ISE but it's the same principle and can be configured in ACS also.

HTH

anilkumar.cisco · ‎03-20-2020

Hello RJ,
thanks for your reply..
Only by changing the parameter (msRADIUSFramedIPAddress) in Cisco ACS to IPV4, will it work.

We have only an single permitaccess rule configure in Cisco ACS,
Do you still need a rule for this particular parameter?
and kindly advise.. we need to do changes in AD as well for static IP address assignment..

best Regards
Anil Singh

Rob Ingram · ‎03-20-2020

You only need 1 ACS/ISE authorisation rule, this would apply the static IP address - if no static IP address defined (in the users' AD account) the user would receive an IP address from the VPN Pool configured.

The only change required in AD is to add the static IP address (as per the screenshot) for each user requiring a static IP address be assigned.

Spooster IT Services · ‎03-20-2020

Hi @anilkumar.cisco ,

Only by changing the parameter (msRADIUSFramedIPAddress) in Cisco ACS to IPV4, will it work.

- On ACS you need to change the parameter msRADIUSFramedIPAddress and change type to IPv4

We have only a single permit access rule configure in Cisco ACS, Do you still need a rule for this particular parameter?

- No need to make any changes in the access rule for this parameter.

and kindly advise.. we need to do changes in AD as well for static IP address assignment.

Yes, for all VPN user's accounts to whom you want to assign static IP, you need to add "Assign static IP Addresses" in their AD accounts.

Also, make sure you have the "vpn-addr-assign aaa" command added on FP2100.

Please rate if you find my answer useful.

Spooster IT Services Team

anilkumar.cisco · ‎03-20-2020

So , in ACS only one permit access rule is fine.

and there is no need add new rule for (msRADIUSFramedIPAddress) in Cisco ACS to IPV4.

Kindly advise , how to add vpn-addr-assign aaa in FTD..

anilkumar.cisco · ‎03-20-2020

Hello ,

I manage to configure add vpn-addr-assign aaa command in FTD via GuI and added attribute in ACS LDAP server for msRADIUSFramedIPAddress to IP Address and created authorisation policy in order matching msRADIUSFramedIPAddress with IPV4.. but still issue persist..

User is not getting IP address what they have assign in AD parameter

anilkumar.cisco · ‎03-20-2020

Enclosing ACS/FTD screen shot to know more about the issue..

Spooster IT Services · ‎03-20-2020

What are you seeing in logs of ACS server?

And you need to collect debugs output on FP 2100 to see what are you getting from the ACS server.

Just to verify: 1) Static IPs should not be the part of VPN pool. You need to reduce the VPN pool.

2) On FP2100, you must need to tell FP2100 to authentication and authorization VPN users from ACS.

Spooster IT Services Team

anilkumar.cisco · ‎03-20-2020

What are you seeing in logs of ACS server?

below mentioned..

And you need to collect debugs output on FP 2100 to see what are you getting from the ACS server.

seems still string are getting.

Just to verify: 1) Static IPs should not be the part of VPN pool. You need to reduce the VPN pool.

yes, I have make sure this.

2) On FP2100, you must need to tell FP2100 to authentication and authorization VPN users from ACS.

yes.. that's why user are getting connected via dynamic IP to VPN

Cisco FTD logs..

firepower# radius mkreq: 0x12fb
alloc_rip 0x000000ffcdd17ae8
new request 0x12fb --> 119 (0x000000ffcdd17ae8)
got user 'hermestest1'
got password
add_req 0x000000ffcdd17ae8 session 0x12fb id 119
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=42.106.195.155

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 640).....
01 77 02 80 d4 d7 9b 82 b5 bb 2d a6 d3 da 98 43    | .w........-....C
65 76 1c 64 01 0d 68 65 72 6d 65 73 74 65 73 74    | ev.d..hermestest
31 02 12 54 90 8d 77 a3 c1 2a 50 9b d9 f3 52 b0    | 1..T..w..*P...R.
9e 90 e6 05 06 01 ae 80 00 1e 0f 31 34 2e 31 34    | ...........14.14
31 2e 39 37 2e 31 31 33 1f 10 34 32 2e 31 30 36    | 1.97.113..42.106
2e 31 39 35 2e 31 35 35 3d 06 00 00 00 05 42 10    | .195.155=.....B.
34 32 2e 31 30 36 2e 31 39 35 2e 31 35 35 1a 23    | 42.106.195.155.#
00 00 00 09 01 1d 6d 64 6d 2d 74 6c 76 3d 64 65    | ......mdm-tlv=de
76 69 63 65 2d 70 6c 61 74 66 6f 72 6d 3d 77 69    | vice-platform=wi
6e 1a 2c 00 00 00 09 01 26 6d 64 6d 2d 74 6c 76    | n.,.....&mdm-tlv
3d 64 65 76 69 63 65 2d 6d 61 63 3d 39 34 2d 65    | =device-mac=94-e
36 2d 66 37 2d 31 66 2d 36 32 2d 30 36 1a 32 00    | 6-f7-1f-62-06.2.
00 00 09 01 2c 6d 64 6d 2d 74 6c 76 3d 64 65 76    | ....,mdm-tlv=dev
69 63 65 2d 74 79 70 65 3d 48 50 20 48 50 20 45    | ice-type=HP HP E
6c 69 74 65 42 6f 6f 6b 20 38 34 30 20 47 36 1a    | liteBook 840 G6.
33 00 00 00 09 01 2d 6d 64 6d 2d 74 6c 76 3d 64    | 3.....-mdm-tlv=d
65 76 69 63 65 2d 70 6c 61 74 66 6f 72 6d 2d 76    | evice-platform-v
65 72 73 69 6f 6e 3d 31 30 2e 30 2e 31 38 33 36    | ersion=10.0.1836
33 20 1a 33 00 00 00 09 01 2d 6d 64 6d 2d 74 6c    | 3 .3.....-mdm-tl
76 3d 64 65 76 69 63 65 2d 70 75 62 6c 69 63 2d    | v=device-public-
6d 61 63 3d 39 34 2d 65 36 2d 66 37 2d 31 66 2d    | mac=94-e6-f7-1f-
36 32 2d 30 36 1a 3a 00 00 00 09 01 34 6d 64 6d    | 62-06.:.....4mdm
2d 74 6c 76 3d 61 63 2d 75 73 65 72 2d 61 67 65    | -tlv=ac-user-age
6e 74 3d 41 6e 79 43 6f 6e 6e 65 63 74 20 57 69    | nt=AnyConnect Wi
6e 64 6f 77 73 20 34 2e 38 2e 30 32 30 34 35 1a    | ndows 4.8.02045.
5b 00 00 00 09 01 55 6d 64 6d 2d 74 6c 76 3d 64    | [.....Umdm-tlv=d
65 76 69 63 65 2d 75 69 64 3d 36 44 45 39 37 43    | evice-uid=6DE97C
44 39 37 42 39 46 32 34 45 34 32 32 33 34 45 32    | D97B9F24E42234E2
30 30 31 42 32 37 34 43 34 39 46 42 31 32 35 30    | 001B274C49FB1250
30 43 38 31 42 30 46 30 37 38 31 38 38 37 34 36    | 0C81B0F078188746
44 32 41 39 31 46 43 45 39 33 04 06 00 00 00 00    | D2A91FCE93......
1a 31 00 00 00 09 01 2b 61 75 64 69 74 2d 73 65    | .1.....+audit-se
73 73 69 6f 6e 2d 69 64 3d 30 65 38 64 36 31 37    | ssion-id=0e8d617
31 30 31 61 65 38 30 30 30 35 65 37 34 64 63 34    | 101ae80005e74dc4
66 1a 23 00 00 00 09 01 1d 69 70 3a 73 6f 75 72    | f.#......ip:sour
63 65 2d 69 70 3d 34 32 2e 31 30 36 2e 31 39 35    | ce-ip=42.106.195
2e 31 35 35 1a 1b 00 00 0c 04 92 15 41 6e 79 43    | .155........AnyC
6f 6e 6e 65 63 74 5f 4d 61 72 73 68 56 50 4e 1a    | onnect_MarshVPN.
0c 00 00 0c 04 96 06 00 00 00 02 1a 15 00 00 00    | ................
09 01 0f 63 6f 61 2d 70 75 73 68 3d 74 72 75 65    | ...coa-push=true

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 119 (0x77)
Radius: Length = 640 (0x0280)
Radius: Vector: D4D79B82B5BB2DA6D3DA984365761C64
Radius: Type = 1 (0x01) User-Name
Radius: Length = 13 (0x0D)
Radius: Value (String) =
68 65 72 6d 65 73 74 65 73 74 31                   | hermestest1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
54 90 8d 77 a3 c1 2a 50 9b d9 f3 52 b0 9e 90 e6    | T..w..*P...R....
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1AE8000
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) =
31 34 2e 31 34 31 2e 39 37 2e 31 31 33             | 14.141.97.113
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 16 (0x10)
Radius: Value (String) =
34 32 2e 31 30 36 2e 31 39 35 2e 31 35 35          | 42.106.195.155
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 16 (0x10)
Radius: Value (String) =
34 32 2e 31 30 36 2e 31 39 35 2e 31 35 35          | 42.106.195.155
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 35 (0x23)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 29 (0x1D)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70    | mdm-tlv=device-p
6c 61 74 66 6f 72 6d 3d 77 69 6e                   | latform=win
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 44 (0x2C)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 38 (0x26)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d    | mdm-tlv=device-m
61 63 3d 39 34 2d 65 36 2d 66 37 2d 31 66 2d 36    | ac=94-e6-f7-1f-6
32 2d 30 36                                        | 2-06
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 50 (0x32)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 44 (0x2C)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 74    | mdm-tlv=device-t
79 70 65 3d 48 50 20 48 50 20 45 6c 69 74 65 42    | ype=HP HP EliteB
6f 6f 6b 20 38 34 30 20 47 36                      | ook 840 G6
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 51 (0x33)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 45 (0x2D)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70    | mdm-tlv=device-p
6c 61 74 66 6f 72 6d 2d 76 65 72 73 69 6f 6e 3d    | latform-version=
31 30 2e 30 2e 31 38 33 36 33 20                   | 10.0.18363
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 51 (0x33)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 45 (0x2D)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70    | mdm-tlv=device-p
75 62 6c 69 63 2d 6d 61 63 3d 39 34 2d 65 36 2d    | ublic-mac=94-e6-
66 37 2d 31 66 2d 36 32 2d 30 36                   | f7-1f-62-06
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 52 (0x34)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 61 63 2d 75 73 65 72 2d    | mdm-tlv=ac-user-
61 67 65 6e 74 3d 41 6e 79 43 6f 6e 6e 65 63 74    | agent=AnyConnect
20 57 69 6e 64 6f 77 73 20 34 2e 38 2e 30 32 30    |   Windows 4.8.020
34 35                                              | 45
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 91 (0x5B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 85 (0x55)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 75    | mdm-tlv=device-u
69 64 3d 36 44 45 39 37 43 44 39 37 42 39 46 32    | id=6DE97CD97B9F2
34 45 34 32 32 33 34 45 32 30 30 31 42 32 37 34    | 4E42234E2001B274
43 34 39 46 42 31 32 35 30 30 43 38 31 42 30 46    | C49FB12500C81B0F
30 37 38 31 38 38 37 34 36 44 32 41 39 31 46 43    | 078188746D2A91FC
45 39 33                                           | E93
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 0.0.0.0 (0x00000000)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 49 (0x31)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 43 (0x2B)
Radius: Value (String) =
61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64    | audit-session-id
3d 30 65 38 64 36 31 37 31 30 31 61 65 38 30 30    | =0e8d617101ae800
30 35 65 37 34 64 63 34 66                         | 05e74dc4f
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 35 (0x23)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 34 32 2e    | ip:source-ip=42.
31 30 36 2e 31 39 35 2e 31 35 35                   | 106.195.155
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 27 (0x1B)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 21 (0x15)
Radius: Value (String) =
41 6e 79 43 6f 6e 6e 65 63 74 5f 4d 61 72 73 68    | AnyConnect_Marsh
56 50 4e                                           | VPN
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 2 (0x0002)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 15 (0x0F)
Radius: Value (String) =
63 6f 61 2d 70 75 73 68 3d 74 72 75 65             | coa-push=true
send pkt 10.101.39.141/1812
rip 0x000000ffcdd17ae8 state 7 id 119
rad_vrfy() : response message verified
rip 0x000000ffcdd17ae8
: chall_state ''
: state 0x7
: reqauth:
     d4 d7 9b 82 b5 bb 2d a6 d3 da 98 43 65 76 1c 64
: info 0x000000ffcdd17c28
     session_id 0x12fb
     request_id 0x77
     user 'hermestest1'
     response '***'
     app 0
     reason 0
     skey 'Admin@123'
     sip 10.101.39.141
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 70).....
02 77 00 46 f1 b1 bd f3 02 5a 68 af 0d 9f a4 04    | .w.F.....Zh.....
0c db 5b c4 01 0d 68 65 72 6d 65 73 74 65 73 74    | ..[...hermestest
31 19 25 43 41 43 53 3a 43 49 50 50 47 42 41 43    | 1.%CACS:CIPPGBAC
53 30 31 2f 33 32 31 37 32 39 30 37 38 2f 32 34    | S01/321729078/24
31 34 33 37 37 36                                  | 143776

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 119 (0x77)
Radius: Length = 70 (0x0046)
Radius: Vector: F1B1BDF3025A68AF0D9FA4040CDB5BC4
Radius: Type = 1 (0x01) User-Name
Radius: Length = 13 (0x0D)
Radius: Value (String) =
68 65 72 6d 65 73 74 65 73 74 31                   | hermestest1
Radius: Type = 25 (0x19) Class
Radius: Length = 37 (0x25)
Radius: Value (String) =
43 41 43 53 3a 43 49 50 50 47 42 41 43 53 30 31    | CACS:CIPPGBACS01
2f 33 32 31 37 32 39 30 37 38 2f 32 34 31 34 33    | /321729078/24143
37 37 36                                           | 776
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x000000ffcdd17ae8 session 0x12fb id 119
free_rip 0x000000ffcdd17ae8
radius: send queue empty

Spooster IT Services · ‎03-20-2020

I am not seeing "Framed-IP-Address" radius attribute sent by ACS to FP2100. Must be something missing on ACS.

Spooster IT Services Team

anilkumar.cisco · ‎03-20-2020

current ACS version is 5.6... surprisingly.. not getting any logs in ACS for VPN users.. not sure why... Very confused..

shaikh.zaid22 · ‎01-19-2021

Hi Rob,

I have the same requirement of providing static ip addres to few users, and our users are authenticating via AD. i have allowed the check mark on the static ip assignment on the User profile in AD alongwith the ip address.

But still the user connects and gets ip from dhcp.

Can u let me know where am missing...