cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
942
Views
2
Helpful
11
Replies

assign dhcp pools for anyconnect based on AD group via radius

tryingtofixit
Level 1
Level 1

I need to assign a special anyconnect dhcp range to a specific user group. We are using microsoft radius for our server.

How would I do this? I don't want to put static IP's on A/C using Raidius and AD. That solution, that solution doesn't work if site1 does a failover to site2 that has a totally different dhcp scope. 

will I need to create a new  anyconnect connection profile with group policy that these users will "select" on the anyconnect client before login? Not preferred, but if only way then ok.

It's a shame that dhcp reservation feature doesn't work with the anyconnect dhcp pool. your pool has to be assigned to an interface and is limited to only /24.   

if radius won't do this, i am 99% sure this can be done with ldap.  would ldap require all anyconnect profiles use ldap not radius for login? Oh we also use certs with radius. do certs interfere with using an ldap solution?

 

 

11 Replies 11

Hi @tryingtofixit you can assign IP pool from NPS. You need to specify the vendor codes and reference the name of the exact IP pool configured on the ASA/FTD. Example - https://integratingit.wordpress.com/2022/01/30/asa-vpn-ip-pool-assignment-using-radius/

If you were to use LDAP, that would be more configuration involved, as you would have to define a group policy and then reference the IP pool within the group policy. LDAP would then assign the group policy based on group membership.

LDAP example - https://integratingit.wordpress.com/2020/04/03/asa-remote-access-vpn-using-ldap/

 

 

that is almost exactly what I want, but it doesn't mention the use of AD groups. 

if you are a use in an AD group "special" use dhcp pool "special".  if you are in group "normal" in AD, then you get assigned to the "normal" dhcp pool. 

@tryingtofixit in the NPS policy, match on condition "AD user group" then configure those settings (ip pool) as per the guide. Create additional policy to match on different conditions and apply different settings (ip pool).

does the nps assigned dhcp-pool override what is in the group policy?

if I have ra-dhcp-pool in the group policy and my special AD is using -ra-special-dhcp pool will the special dhcp pool take precedence over the ra-dhcp-pool that everyone else will get? or is there somewhere in the group policy I need to define the "special" pool ?

@tryingtofixit attributes learnt from a RADIUS server are applied, as they have a higher priority than settings in a group policy. You don't need to specify the "specical" pool in the group policy, as per the guide above, its dynamically applied when the attribute is sent from the RADIUS server. You just need to configure the IP pool.

use Cert. map to assign different group-policy to user depend on CN
these group-policy will use AAA for auth and have different dhcp pool

MHM

use authz condition as AD group and authz result with CVPN3000/ASA/PIX7x-DHCP-Network-Scope = for ip from ms dhcp or CVPN3000/ASA/PIX7x-Address-Pools = for ip as backup from asa.

Do not forget for vpn address assigning priority.
You can set this like this:
# show run all | i vpn-addr-assign
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 60
ipv6-vpn-addr-assign aaa

ipv6-vpn-addr-assign local reuse-delay 60

local reuse-delay 60 tells to ASA wait 60 s for assinging ip address from local addr pool of ASA in case no reply by method aaa or dhcp.

BTW take attentation that asa is not able to use DHCPv6 option, just AAA or/and local.


So option vpn-addr-assign aaa as first and CVPN3000/ASA/PIX7x-DHCP-Network-Scope make toghether with autz condition rule and authz result all what you need.

To be honest option vpn-addr-assign dhcp is propably not need here, becuase it is just for dhcp relay agent from phisical ifaces of ASA, so not for RA, but I assume it is like this for this option, I am not sure, and Cisco does not care about proper and full documentation the difference between option aaa and dhcp. AAA is definitely need it for sure in this setup what you need, ISE, ASA, MS DHCP, AD security groups.

is there anything that shows how to do this using NPS on server 2019 or higher?. the screen shots and instructions don't even come close to what the NPS client presents. 

@tryingtofixit you cannot use the Cisco specific RADIUS VSA beginning with CPVN3000 prefix with Microsoft NPS (you can if you use CIsco ISE) You must manual specify the RADIUS vendor code and specific attribute, as per the example in the first reply above. The Cisco vendor ID will be 3076 and the RADIUS attribute number will differ depending on what value you want to send. Example - vendor attribute 61 = DHCP network scope or 217 = address-pool. The link in the first reply provides instructions how to configure this, just change the attribute number accordingly. The list of codes is https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/aaa-radius.html

 

yes, I understand about the ID codes and attrib.  but the wordpress URL example is like asking a Window 95 using their gui to setup things in windows 11. Not one screen shot in the NPS microsoft radius example provided even shows how to get to that point in NPS 2019. guessing this nps in the URL is from nps 2012.  That is what I am trying t find. how to I access Vendor codes and attribs in NPS 2019 and higher. The NPS interface has completely changed since 2012.  Google hasn't been much help.  thanks

tryingtofixit
Level 1
Level 1

ok, after messing around with NPS for about 1hr figured it out.  !