cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3211
Views
0
Helpful
4
Replies

ASA Address Assignment Policy by VPN Group - Override Auth Server

tluidens
Level 1
Level 1

Currently, for AnyConnect users, I use an authentication server to assign specific addresses to individual VPN users and also assign them to VPN Group (ACS) But I have a scenario where more flexibility would be useful.

I am wondering if there is a way to ignore the authentication server assigned IP Address and Group for users that login into a one specific VPN group - and instead keep/remain in that group AND use a pool address instead of the assigned address?

Any suggestions?

4 Replies 4

Vishnu Sharma
Level 1
Level 1

Hi,

If I got you correctly, currently you are using an authentication server to authenticate users and assign ip address to them however your requrement is to create another group for which you want to assign ip addresses from IP pool rather than the authentication server. Please correct me if I am wrong.

Let me know if you are going to authnticate the users connecting to this new group using local database. If the answer is yes then you can get this done easily.

Please find the sample configuration:

ip local pool vpnpool 10.10.10.1-10.10.10.254

tunnel-group XXXX type remote-access

tunnel-group XXXX general-attributes

address-pool vpnpool

authentication-server-group LOCAL

default-group-policy xxxxx

tunnel-group XXXX ipsec-attributes

ikev1 pre-shared-key abcd1234 (ikev1 will be used for ASA running software 8.3 and above)

Whenever the users will connect to this group XXXX, they will be authenticated using the local database and will get the ip's assigned from the address pool named as vpnpool.

Let me know if this helps.

Thanks,

Vishnu Sharma

Hi Vishnu,

We are close but I want to make sure we are actually in sync. What I want

to do is for the one group I would like to accept the IP Address/Group

information from the Authentication server and in the other group, because

it is the SAME User that is authenticating, I would like to get

authentication from the same auth server BUT ignore the IP Address that is

passed back from the server and instead use a pool address defined in the

ASA.

I guess what I am effectively asking is - address policy seems to apply to

all VPN groups - use auth server or dhcp or pool - I would like auth

server to be used for one group and pool for another.

Thanks for the quick response!

Tom Luidens

email: tom_luidens@spartanstores.com

office phone/fax: 1 (616) 878-2821

There are 10 types of people in the world. Those who understand binary,

and those who don't.

From: vishnsha

To: tluidens

Date: 05/25/2012 10:21 AM

Subject: - Re: ASA Address Assignment Policy by VPN Group -

Override Auth Server

Home

Re: ASA Address Assignment Policy by VPN Group - Override Auth Server

created by Vishnu Sharma in VPN - View the full discussion

Hi,

If I got you correctly, currently you are using an authentication server

to authenticate users and assign ip address to them however your

requrement is to create another group for which you want to assign ip

addresses from IP pool rather than the authentication server. Please

correct me if I am wrong.

Let me know if you are going to authnticate the users connecting to this

new group using local database. If the answer is yes then you can get this

done easily.

Please find the sample configuration:

ip local pool vpnpool 10.10.10.1-10.10.10.254

tunnel-group XXXX type remote-access

tunnel-group XXXX general-attributes

address-pool vpnpool

authentication-server-group LOCAL

default-group-policy xxxxx

tunnel-group XXXX ipsec-attributes

ikev1 pre-shared-key abcd1234 (ikev1 will be used for ASA running software

8.3 and above)

Whenever the users will connect to this group XXXX, they will be

authenticated using the local database and will get the ip's assigned from

the address pool named as vpnpool.

Let me know if this helps.

Thanks,

Vishnu Sharma

Reply to this message by going to Home

Start a new discussion in VPN at Home

Hi Tom,

Thanks for the explanation. In short, you want users to authenticate using the same authentication server but you want ip address to be assigned from the VPN pool that you create on the ASA and not from the authentication server.

If this is the case then I am pretty sure, you have this command configured on your ASA:

vpn-addr-assign aaa

For vpn-addr-assign you get three options

1. aaa

2. dhcp

3. local

In this case, if we specify vpn pool under the tunnel-group, it will still look for the ip address assignment from the AAA server. So I don't think this can be done. We cannot ignore it because we have instructed ASA to assign the ip address from the AAA server and not from the local pool.

Let me know if this helps.

Thanks,

Vishnu Sharma

Hi Vishnu,

Yes, this was a great help and you are correct, I do have the ASA configured as:

For vpn-addr-assign you get three options

1. aaa

2. dhcp

3. local

Pity that we cannot set the address assignment order such that local superceedes aaa then I could just not configure local addresses where I would want aaa to take precedence.

Thanks very much for you help!