ASA 8.2 - ACS 5.2 with dynamic VPN IP pool assignment

ineagu · ‎08-08-2011

hello

I have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy?

Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.

Can it be done ?

ACS version is 5.2.

Thank you

Ilie Neagu

ineagu · ‎08-10-2011

answer from Cisco....

"

...

As I have understood it till now, the issue is that you need to assign IP pools based on AD group membership of the VPN users.

In ACS 5.x IP Pool management is not supported.

While RADIUS servers nearly always did this in the early dial up days, today DHCP is commonly used. For ACS 5, a decision was made to drop IP Pool management, and recommend that customers use DHCP.

So, unlike 4.x, 5.x does not have that capability.

I will check and let up know if there is any attribute which can be pushed from the ACS for pool assignment."

edwjames · ‎07-17-2013

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnadd.html#wp999685

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1753749

Using attribute 217 and Group mapping, pool names can be pushed from ACS.

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Shaoqin Li · ‎07-17-2013

Edward is correct , besides you can use framed ip address to specify ip

Sent from Cisco Technical Support iPad App