VPN IP addresses assigned to users authenticed via RADIUS->AD

NazgulNr5 · ‎01-23-2020

For RA-VPN users I would like to authenticate them through a RADIUS-server->Active Directory chain.

This works fine as long as I use a VPN-pool for IP addresses. However, due to the fine grained FW rules, each user needs to be assigned a specific IP address.

I have tried

ldap attribute-map Assign-IP
map-name msRADIUSFrameIPAdddress IETF-Radius-Framed-IP-Address
map-name msRADIUSFrameNetmask IETF-Radius-Framed-IP-Netmask

The user gets the IP address entered under the dial-in tab in AD. However, the is no place to enter a netmask or gateway and the user gets 255.0.0.0 as netmask and 10.0.0.1 as gateway wich is obviously wrong and not working.

I searched for a solution and found others with the same problem but no solution.

Is there a way the IP address can be assigned to AD users?

Rob Ingram · ‎01-23-2020

Hi,

You don't need to specify a subnet mask or default gateway when using the AnyConnect VPN client. When you establish a tunnel all traffic (unless using split tunnel) will be routed through the VPN tunnel.

This example might be of some help, I've already previously tested this and confirm it works. It sounds like you already receive the IP address from AD....so your issue might lie elsewhere.

What happens when you connect, can you access anything?

I assume the AnyConnect VPN works if you don't assign an IP address from AD?

Please provide your ASA configuration, "route print" from the client and the IP address assigned to the user.

HTH

NazgulNr5 · ‎01-24-2020

It works now.

NazgulNr5 · ‎01-24-2020

Actually it just works fine now. While the netmask is still not correct I can reach everything I need to.