Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1508
Views
0
Helpful
2
Replies

AAA IP assignment

Go to solution
Chris Coates
Level 1
Level 1

‎05-03-2017 07:05 AM

Hi All,

I have a quick query regarding AAA IP assignment for Anyconnect clients:

A little backstory; the client currently has Anyconnect remote access configured using a AAA radius server for authentication and a local IP pool on the ASA. My predecessor was trying to create a new tunnel group using DHCP for address allocation for certain clients so they could configure it allocate the same IP to the user each time. Unfortunately DHCP proxy is not allowed due to DHCP relay already being in use on the same interface, so using a DHCP server is out. I've read that you can allocate an address on a per user basis if the users are local on the ASA but I doubt the client will be happy with that. This leaves AAA address assignment, referenced here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnadd.html#wp999685

My question is how does this behave? The client wants to keep the local IP pool for most clients, but the article suggests that AAA address allocation is enabled globally, not on a per tunnel group basis. What will happen if I enable it? Will it break the old tunnel group that is using the same authentication server group, but has it's own local address pool? Or am I ok as the old tunnel group references the local IP pool and will use this over the AAA allocation?

Thanks!

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎05-03-2017 11:12 AM

Yes, it will break. Even though the address pool under the tunnel-group is local, ASA will still try to allocate IP address from AAA Server Group if the command vpn-addr-assign aaa.

This command can't be ignored. The only way to override it is to authenticate that tunnel-group with local ASA DB instead of AAA Server. 

.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎05-03-2017 11:12 AM

Yes, it will break. Even though the address pool under the tunnel-group is local, ASA will still try to allocate IP address from AAA Server Group if the command vpn-addr-assign aaa.

This command can't be ignored. The only way to override it is to authenticate that tunnel-group with local ASA DB instead of AAA Server. 

.

0 Helpful

Go to solution
Chris Coates
Level 1
Level 1
In response to Mohammed al Baqari

‎05-04-2017 01:08 AM

Thanks Mohammed.

0 Helpful
Customers Also Viewed These Support Documents