Re: Anyconnect Client IP address assignment via External DHCP Server

Craddockc · ‎01-15-2018

Community,

We are currently doling out IP addresses to VPN clients via locally defined pools on the firewall. The users will be assigned an IP based on their group policy. In our setup, the user logs in via their AD Credentials, the Firewall checks their credentials against AD and depending on what VPN Group Policy group they are in in AD, the firewall will then put them into a corresponding group policy. For instance:

my AD account is a member of the PocVPN group in AD. When the Firewall authenticates me with AD, AD tells the firewall that im in the PocVPN group, so the firewall put me in the PocVPN Anyconnect group policy and assigns me an IP address defined in that group policy.

What I would like to do is move the DHCP function to a back end Windows DHCP server while still maintaining the functionality of assigning IP addresses based on user/group policy. I cant find any good articles on how to do this online. Does anyone have experience doing this?

Thanks.

Mohammed al Baqari · ‎01-15-2018

Hi,

You can do this. First you need to enable DHCP Sub-Selection under your
tunnel group

tunnel-group sslgroup general-attributes

dhcp-server subnet-selection

Then under your group-policies select an IP from the subnet which you want
the DHCP server to use for that group policy. When the DHCP relay request
is sent to DHCP server, this IP which you configured under your group
policy will be set in gia option of the DHCP request. Accordingly, the DHCP
server will know from which pool to assign the IP.

group-policy test attributes
dhcp-network-scope 192.168.0.0 (any IP from the dhcp pool)

This will tell DHCP server to allocate IP from 192.168.0.0/24 subnet (this
is just an example of the DHCP scope)