Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2276
Views
5
Helpful
1
Replies

Anyconnect dedicated IP address stored in AD using SAML and Azure AD

Go to solution
nuancebvdr
Level 1
Level 1

‎08-31-2020 07:56 AM

We are currently using Anyconnect clients on ASA and radius authentication. The Radius server (microsoft NPS) provides an individual framed IP address to some specific users. These IP addresses are stored in AD under the user account. It works fine for years already. I'm now testing SAML authentication on Azure AD with the goal to replace the NPS radius server. This works, except for the users with dedicated framed IP addresses. Any suggestions how to achieve this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎09-01-2020 09:12 PM - edited ‎09-01-2020 09:15 PM

Hi Nuancebvdr,

The SAML IdP will not be able to provide an attribute to the user because of a limitation with SAML authorization on ASA's, it works for Authentication only.

What you need to do is to define the AD server as authorization server on the tunnel group so the NPS provides the Frame IP attribute.

Then, under the AAA configuration for that AD radius server, specify that it will be used as authorization only.

Config example:

aaa-server Radius protocol radius
authorize-only
aaa-server Radius (outside) host  x.x.x.x
key *****
tunnel-group Josue_TG general-attributes
authorization-server-group Radius
tunnel-group Josue_TG webvpn-attributes
authentication saml

saml identity-provider http://<saml_idp_url>

 

Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

View solution in original post

1 Reply 1

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎09-01-2020 09:12 PM - edited ‎09-01-2020 09:15 PM

Hi Nuancebvdr,

The SAML IdP will not be able to provide an attribute to the user because of a limitation with SAML authorization on ASA's, it works for Authentication only.

What you need to do is to define the AD server as authorization server on the tunnel group so the NPS provides the Frame IP attribute.

Then, under the AAA configuration for that AD radius server, specify that it will be used as authorization only.

Config example:

aaa-server Radius protocol radius
authorize-only
aaa-server Radius (outside) host  x.x.x.x
key *****
tunnel-group Josue_TG general-attributes
authorization-server-group Radius
tunnel-group Josue_TG webvpn-attributes
authentication saml

saml identity-provider http://<saml_idp_url>

 

Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

Customers Also Viewed These Support Documents