Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
1
Replies

AnyConnect and DHCP Assignment

mmelbourne
Level 5
Level 5

‎03-27-2019 04:02 AM - edited ‎02-21-2020 09:36 PM

Hi,

 

We are using Cisco AnyConnect on ASA (9.6). Users are authenticated with LDAP, and group membership determines which group-policy is assigned (through an LDAP attribute map), and the user is assigned an IP address from a local pool (specified user the group-policy).

 

Now, we wish to assign client IPs from a DHCP server, but an issue is we want to use a different DHCP server based on the group-policy assigned to the user. The DHCP server appears to be specified in the tunnel-group (we have a generic one for all users), and all the group-policy does is provide a hint as to which scope to use on the DHCP server (dhcp-network-scope).

 

Is there any way to specify differnet DHCP servers for different user-groups? What I don't know is if multiple DHCP servers are specified in the tunnel-group configuration, will they be queried in turn (as a potential workaround)?

 

Cheers,

Matt

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-27-2019 08:08 AM

I don't think there is any way to specify different DHCP servers based on group-policy. I tried to check if a Radius attribute would help push a DHCP server attribute, but looks like only "DHCP scope" attribute can be pushed by the Radius server.

 

The multiple DHCP server should work if you specify your network scope correctly. Are all the DHCP servers reachable to all the users? This may be a problem if the first DHCP server responds back with an error rather than not respond back. 

0 Helpful
Customers Also Viewed These Support Documents