01-23-2020 01:53 AM - edited 02-21-2020 09:51 AM
For RA-VPN users I would like to authenticate them through a RADIUS-server->Active Directory chain.
This works fine as long as I use a VPN-pool for IP addresses. However, due to the fine grained FW rules, each user needs to be assigned a specific IP address.
I have tried
ldap attribute-map Assign-IP
map-name msRADIUSFrameIPAdddress IETF-Radius-Framed-IP-Address
map-name msRADIUSFrameNetmask IETF-Radius-Framed-IP-Netmask
The user gets the IP address entered under the dial-in tab in AD. However, the is no place to enter a netmask or gateway and the user gets 255.0.0.0 as netmask and 10.0.0.1 as gateway wich is obviously wrong and not working.
I searched for a solution and found others with the same problem but no solution.
Is there a way the IP address can be assigned to AD users?
01-23-2020 02:17 AM
Hi,
You don't need to specify a subnet mask or default gateway when using the AnyConnect VPN client. When you establish a tunnel all traffic (unless using split tunnel) will be routed through the VPN tunnel.
This example might be of some help, I've already previously tested this and confirm it works. It sounds like you already receive the IP address from AD....so your issue might lie elsewhere.
What happens when you connect, can you access anything?
I assume the AnyConnect VPN works if you don't assign an IP address from AD?
Please provide your ASA configuration, "route print" from the client and the IP address assigned to the user.
HTH
01-24-2020 01:37 AM
It works now.
01-24-2020 01:36 AM
Actually it just works fine now. While the netmask is still not correct I can reach everything I need to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide