Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
202
Views
0
Helpful
1
Replies

Anyconnect (remote access client) SSL VPN - IP Address allocation based on Certificate

Newell
Level 1
Level 1

‎04-25-2016 11:42 AM - edited ‎02-21-2020 08:47 PM

Is there a way to allocate a specific IP address to an Anyconnect client (ssl vpn) based on the user certificate presented by the client during authentication ?

I can make a similar concept work when using username and password (AAA) for client authentication instead of client certificate based authentication.

I can allocate a specific IP address to an Anyconnect client (ssl vpn) based on username using the example config below :-

username cisco123 attributes

  vpn-framed-ip-address 192.168.5.1 255.255.255.0

username cisco567 attributes

  vpn-framed-ip-address 192.168.5.2 255.255.255.0

username cisco890 attributes
  vpn-framed-ip-address 192.168.5.3 255.255.255.0

I want to achieve the same type of IP allocation using certificate based authentication. Similar to you would normally do using DHCP IP reservation (based on MAC address).

Each client has their own unique certificate. 

Labels:
0 Helpful
1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-26-2016 12:03 AM

It can be done using a RADIUS server that supports user based certificate authentication; but I have not seen it done where the authentication is done by the ASA itself.

You can use the certificate to select a VPN group though.  So a painful way would be to create a group per user, with a pool that contained only one IP address.  The certificate would place them into that group, and voila.

0 Helpful
Customers Also Viewed These Support Documents